Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5rh5u9yBNf.exe

Overview

General Information

Sample name:5rh5u9yBNf.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:07f4c058658f085d434e78febc2365f0b8f25802
Analysis ID:1640358
MD5:d58531ddd40daa8ca1c3569ac1c0c4d3
SHA1:07f4c058658f085d434e78febc2365f0b8f25802
SHA256:5051edf86f5e10baca635c7319b42e0cd2395c1293a9de6b0d45a8236f689207
Infos:

Detection

GuLoader, HTMLPhisher
Score:76
Range:0 - 100
Confidence:100%

Compliance

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected GuLoader
Yara detected HtmlPhish29
Yara detected HtmlPhish72
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a FSFilter Anti-Virus service
Creates files in the system32 config directory
Installs new ROOT certificates
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5rh5u9yBNf.exe (PID: 7780 cmdline: "C:\Users\user\Desktop\5rh5u9yBNf.exe" MD5: D58531DDD40DAA8CA1C3569AC1C0C4D3)
    • sc.exe (PID: 7888 cmdline: "C:\Windows\system32\sc.exe" control nossvc 200 MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • certutil.exe (PID: 8036 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • certutil.exe (PID: 8104 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -A -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
      • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7676 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nprotect_install.exe (PID: 7972 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe" /T:c:\temp MD5: B155EB00582FD78E6E38E403636B056F)
    • sc.exe (PID: 3588 cmdline: "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8124 cmdline: "C:\Windows\system32\sc.exe" description "nossvc" "nProtect Online Security(PFS)" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8108 cmdline: "C:\Windows\system32\sc.exe" start "nossvc" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nosstarter.npe (PID: 2304 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET MD5: F4190D189D2BC1CD91B6E9DE43348F7B)
      • certutil.exe (PID: 7972 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 3480 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 8072 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 2140 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 1492 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 2968 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 3884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 1204 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 3616 cmdline: "C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Updater" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" description="nProtect Online Security Updater" dir=Out action=allow protocol=any enable=yes profile=any MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 8148 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 2084 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 3332 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 8044 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 1244 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" MD5: 451D8BBA38D15E7F9A3EDED071C1F43B)
        • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • noske64.exe (PID: 8096 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" h8kz9q MD5: 7CA16B5030D97CFED9BC4CE92C35CC3B)
        • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • npupdatec.exe (PID: 5944 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" https://supdated.nprotect.net/nprotect/nos_service/windows7/install/npsttupprm.dat`nos`p`ru:nos` MD5: 32D43E89EB8420EC8B31A56D32255E54)
    • dllhost.exe (PID: 8108 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • svchost.exe (PID: 7896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7484 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7552 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7504 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3460 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2668 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 3792 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nossvc.exe (PID: 7404 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe" /SVC MD5: 49F5D9ABD17F4A8C8B7764E84CBD5D1B)
    • noske64.exe (PID: 2144 cmdline: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP MD5: 7CA16B5030D97CFED9BC4CE92C35CC3B)
      • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyav32u.dllGandcrabGandcrab Payloadkevoreilly
  • 0x156f14:$string1: GDCB-DECRYPT.txt
  • 0x156ef0:$string4: KRAB-DECRYPT.txt
C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npbJoeSecurity_HtmlPhish_72Yara detected HtmlPhish_72Joe Security
    C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npbJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
      C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npbJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
        C:\Users\user\AppData\Local\Temp\nsxB7D4.tmpJoeSecurity_HtmlPhish_72Yara detected HtmlPhish_72Joe Security
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          Process Memory Space: 5rh5u9yBNf.exe PID: 7780JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release", CommandLine: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe, NewProcessName: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe, OriginalFileName: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe, ParentCommandLine: "C:\Users\user\Desktop\5rh5u9yBNf.exe", ParentImage: C:\Users\user\Desktop\5rh5u9yBNf.exe, ParentProcessId: 7780, ParentProcessName: 5rh5u9yBNf.exe, ProcessCommandLine: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release", ProcessId: 8036, ProcessName: certutil.exe
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET, CommandLine: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe, NewProcessName: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe, OriginalFileName: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe, ParentCommandLine: "C:\Users\user\Desktop\5rh5u9yBNf.exe", ParentImage: C:\Users\user\Desktop\5rh5u9yBNf.exe, ParentProcessId: 7780, ParentProcessName: 5rh5u9yBNf.exe, ProcessCommandLine: "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET, ProcessId: 2304, ProcessName: nosstarter.npe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto, CommandLine: "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\5rh5u9yBNf.exe", ParentImage: C:\Users\user\Desktop\5rh5u9yBNf.exe, ParentProcessId: 7780, ParentProcessName: 5rh5u9yBNf.exe, ProcessCommandLine: "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto, ProcessId: 3588, ProcessName: sc.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7896, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e3890e44-b

            Phishing

            barindex
            Yara detected HtmlPhish29
            Source: Yara matchFile source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npb, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsxB7D4.tmp, type: DROPPED
            Yara detected HtmlPhish72
            Source: Yara matchFile source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npb, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsxB7D4.tmp, type: DROPPED

            Compliance

            barindex
            Uses 32bit PE files
            Source: 5rh5u9yBNf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            PE / OLE file has a valid certificate
            Source: 5rh5u9yBNf.exeStatic PE information: certificate valid
            Uses secure TLS version for HTTPS connections
            Source: unknownHTTPS traffic detected: 61.111.25.114:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.196.243.115:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 3.39.42.215:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 43.200.91.241:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.196.243.115:443 -> 192.168.2.4:49749 version: TLS 1.2
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: 5rh5u9yBNf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: d:\SVN\TKFWFLT\branches\IF1_RB-2012.01.05.01\Dll\tkfwflt\ReleaseU\tkfwfltU_dll.pdb`_ source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\i386\TKFsAv.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002742000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Source\ASC20\Exe\ixNpamgr\Release\npamgr_32.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\exe\noske64\release\noske64.pdb` source: nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskes\release\noskes.pdbd source: nossvc.exe, 00000017.00000003.1484957568.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npeNSISUtil\build\bin\release\npeNSISUtil.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1722033622.000000001005C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npefuncmgr\build\bin\release\npefuncmgr.pdb source: nosstarter.npe, 00000018.00000003.1524596028.000000000667E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.000000000677E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskm\release\noskm.pdb source: nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010101000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nProtectZ\tool\npDownTool\build\bin\release\nos_launcher.pdb source: nprotect_install.exe, 00000010.00000002.1378771300.00000000027F4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Source\ASC20\Exe\ixNpamgr\Release\npamgr_64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\ENGDEV_0606_TKRGFT\trunk\1.0\bin\free\i386\TKRgFtXp.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\hudson\worksp~1\enae3d~1.0\trunk\bin\free\i386\TKPcFtCb.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npestarter2\build\bin\release\nosstarter.pdb source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \Windows\dll\bin\Release\np_cu_f.pdb source: nossvc.exe, 00000017.00000002.2365035813.000000006C936000.00000002.00000001.01000000.00000021.sdmp
            Source: Binary string: h:\17440~1.wor\2ada3~1.sou\engdev~3\branches\if2e25~1.01_\bin\free\amd64\TKPcFtHk64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0904_tkpcft\trunk\1.0\bin\free\i386\TKPcFtHk.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0605_tkrgac\trunk\1.0\bin\free\i386\TKRgAc2k.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0606_tkrgft\trunk\1.0\bin\free\amd64\TKRgFtXp64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0801_tkfw\trunk\2.0\dll\tkfw\releaseu\TKFWU_dll.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0608_tkfsft\trunk\2.0\bin\free\amd64\TKFsFt64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0605_tkrgac\trunk\1.0\bin\free\amd64\TKRgAc2k64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\x64\Release\tknetcfg64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E<d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\amd64\TKFsAv64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\projec~1\en800b~1\branches\if1_rb~3.01_\bin\free\i386\tkids.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E67000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nppb\release\nppb.pdb source: nossvc.exe, 00000017.00000003.1427883974.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452329789.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1430200229.000000000120C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npesvc60\build\bin\release\nossvc.pdb`K( source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\TKFWFLT\branches\IF1_RB-2012.01.05.01\Dll\tkfwflt\ReleaseU\tkfwfltU_dll.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\Release\Win32\tknetcfg.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\worksp~1\engdev~4.0\trunk\bin\free\i386\TKRgFt2k.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpasdk\Release\npasdk.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\PROJEC~2\EN8FAA~1\branches\IF1_RB~3.01_\bin\free\i386\tkfwflt.pdb# source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\nProtectUninstaller\build\bin\release\nProtectUninstaller.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\exe\noske64\release\noske64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpacr\Release\npacr_32.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0608_tkfsft\trunk\2.0\bin\free\i386\TKFsFt.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nProtectZ\product\npn60\nossdk\nosxplatform\build\bin\release\nosxplatform.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskes\release\noskes.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npEngine\npefsav\build\bin\release\npefsav.pdb source: nossvc.exe, 00000017.00000003.1509624907.0000000004688000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2364437310.0000000010079000.00000002.00000001.01000000.00000026.sdmp, nossvc.exe, 00000017.00000003.1509861522.00000000048C7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\agent\_work\3\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: certutil.exe, 00000004.00000002.1211448695.000000006D391000.00000020.00000001.01000000.00000019.sdmp, certutil.exe, 00000006.00000002.1222750264.000000006D3B1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npestarter2\build\bin\release\nosstarter.pdb source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0904_tkpcft\trunk\1.0\bin\free\amd64\TKPcFtCb64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\amd64\TKFsAv64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\Release\Win32\tknetcfg.pdb@<Hq source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\PROJEC~2\EN8FAA~1\branches\IF1_RB~3.01_\bin\free\i386\tkfwflt.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npesvc60\build\bin\release\nossvc.pdb source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Project\ENGDEV_0607_TKTOOL\trunk\1.0\dll\TKTool\x86\ReleaseU\TKToolU.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\x64\Release\tknetcfg64.pdb! source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpacr\Release\npacr_64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp

            Networking

            barindex
            NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
            Source: TKFWFV.sys.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleCreate0, FwpmTransactionAbort0, FwpsInjectionHandleDestroy0, FwpsCalloutRegister0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpmEngineOpen0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmEngineClose0, FwpsCalloutUnregisterById0
            Source: TKFWFV64.sys.0.drStatic PE information: Found NDIS imports: FwpmFilterAdd0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmCalloutAdd0, FwpmTransactionCommit0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsCalloutUnregisterById0, FwpmEngineClose0
            Source: tkfwvt64.sys.0.drStatic PE information: Found NDIS imports: FwpmEngineClose0, FwpmTransactionBegin0, FwpsInjectTransportSendAsync0, FwpmFilterAdd0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpsAllocateCloneNetBufferList0, FwpmCalloutAdd0, FwpsInjectTransportReceiveAsync0, FwpmTransactionCommit0, FwpsInjectionHandleCreate0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectionHandleDestroy0, FwpsFreeCloneNetBufferList0, FwpsCalloutUnregisterById0
            Source: TKFWFV64.sys0.0.drStatic PE information: Found NDIS imports: FwpmFilterAdd0, FwpmCalloutAdd0, FwpsCalloutRegister0, FwpmTransactionAbort0, FwpmTransactionBegin0, FwpmEngineClose0, FwpsInjectionHandleCreate0, FwpmEngineOpen0, FwpsInjectionHandleDestroy0, FwpmTransactionCommit0, FwpsCalloutUnregisterById0
            Source: TKFWVT64.sys.0.drStatic PE information: Found NDIS imports: FwpmTransactionCommit0, FwpsInjectionHandleDestroy0, FwpmEngineOpen0, FwpsInjectionHandleCreate0, FwpmTransactionBegin0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectTransportSendAsync0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpsFreeCloneNetBufferList0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpmEngineClose0, FwpsAllocateCloneNetBufferList0, FwpsInjectTransportReceiveAsync0, FwpsCalloutUnregisterById0
            Source: TKIdsVt64.sys.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectNetworkSendAsync0, FwpmEngineOpen0, FwpsInjectionHandleCreate0, FwpmTransactionBegin0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpsFreeCloneNetBufferList0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpmEngineClose0, FwpsAllocateCloneNetBufferList0, FwpsCalloutUnregisterById0, FwpsQueryPacketInjectionState0, FwpmSubLayerAdd0, FwpmTransactionCommit0
            Source: TKIdsVt.sys.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsQueryPacketInjectionState0, FwpmEngineClose0, FwpsInjectNetworkSendAsync0, FwpsFreeCloneNetBufferList0, FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmSubLayerAdd0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpsCalloutUnregisterById0, FwpsInjectionHandleCreate0, FwpsCalloutRegister0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsAllocateCloneNetBufferList0
            Source: tkfwvt.sys.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpmEngineClose0, FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsCalloutRegister0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectionHandleCreate0
            Source: TKIdsVt64.sys0.0.drStatic PE information: Found NDIS imports: FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpsAllocateCloneNetBufferList0, FwpsCalloutRegister0, FwpmTransactionCommit0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmTransactionBegin0, FwpmEngineClose0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsQueryPacketInjectionState0, FwpsFreeCloneNetBufferList0, FwpmSubLayerAdd0, FwpmTransactionAbort0, FwpsCalloutUnregisterById0
            Source: TKFWFV64.sys1.0.drStatic PE information: Found NDIS imports: FwpmFilterAdd0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmCalloutAdd0, FwpmTransactionCommit0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsCalloutUnregisterById0, FwpmEngineClose0
            Source: TKIdsVt64.sys1.0.drStatic PE information: Found NDIS imports: FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpsAllocateCloneNetBufferList0, FwpsCalloutRegister0, FwpmTransactionCommit0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmTransactionBegin0, FwpmEngineClose0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsQueryPacketInjectionState0, FwpsFreeCloneNetBufferList0, FwpmSubLayerAdd0, FwpmTransactionAbort0, FwpsCalloutUnregisterById0
            Source: tkfwvt64.sys0.0.drStatic PE information: Found NDIS imports: FwpmEngineClose0, FwpmTransactionBegin0, FwpsInjectTransportSendAsync0, FwpmFilterAdd0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpsAllocateCloneNetBufferList0, FwpmCalloutAdd0, FwpsInjectTransportReceiveAsync0, FwpmTransactionCommit0, FwpsInjectionHandleCreate0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectionHandleDestroy0, FwpsFreeCloneNetBufferList0, FwpsCalloutUnregisterById0
            Source: TKFWFV.sys0.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleCreate0, FwpmTransactionAbort0, FwpsInjectionHandleDestroy0, FwpsCalloutRegister0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpmEngineOpen0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmEngineClose0, FwpsCalloutUnregisterById0
            Source: TKIdsVt.sys0.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsQueryPacketInjectionState0, FwpmEngineClose0, FwpsInjectNetworkSendAsync0, FwpsFreeCloneNetBufferList0, FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmSubLayerAdd0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpsCalloutUnregisterById0, FwpsInjectionHandleCreate0, FwpsCalloutRegister0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsAllocateCloneNetBufferList0
            Source: tkfwvt.sys0.0.drStatic PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpmEngineClose0, FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsCalloutRegister0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectionHandleCreate0
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/nos.check_force HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdate.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/nos.service HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /version HTTP/1.1Accept: */*User-Agent: npUpdateHost: bwtd.nprotect2.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/install/npsttupprm.dat HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nos_npupdate/nprotect/nos_service/windows7/install/npchl.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nos_npupdate/nprotect/nos_service/windows7/install/npsttuplist.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nos_npupdate/nprotect/nos_service/windows7/update/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/kc/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/stt/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/npos/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/uninstall/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/custom/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/custom2/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/image/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/image_new/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/bsc20/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/tkctrl/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/tkfw/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/tkfs/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/ptn/avlive/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/nprotect_install/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /version HTTP/1.1Accept: */*User-Agent: npUpdateHost: bwtd.nprotect2.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/ocx/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/ncert/update_conf.xml HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /version HTTP/1.1Accept: */*User-Agent: npUpdateHost: bwtd.nprotect2.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/kc/noskes.dll.nz HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficHTTP traffic detected: GET /nprotect/nos_service/windows7/drv/kc/noskp.sys.nz HTTP/1.1Accept: */*User-Agent: npUpdateHost: supdated.nprotect.net
            Source: global trafficDNS traffic detected: DNS query: supdate.nprotect.net
            Source: global trafficDNS traffic detected: DNS query: supdated.nprotect.net
            Source: global trafficDNS traffic detected: DNS query: bwtd.nprotect2.net
            Source: global trafficDNS traffic detected: DNS query: nsrs.nprotect.net
            Source: unknownHTTP traffic detected: POST /nosCollection.do HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 1253User-Agent: npNsrsHost: nsrs.nprotect.netConnection: Keep-AliveCache-Control: no-cache
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://...
            Source: nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://...r
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443864099.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
            Source: nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
            Source: nossvc.exe, 00000017.00000003.1461878069.0000000004147000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455785826.0000000004136000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478953477.0000000004147000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702167355.0000000004147000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
            Source: nossvc.exe, 00000017.00000003.1454062529.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461661421.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702167355.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442674097.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360870987.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAss
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.b
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443448686.0000000001243000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.0000000001244000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452329789.0000000005CCC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443781434.0000000005CCC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444613946.0000000005CCC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444384220.0000000005CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: nossvc.exe, 00000017.00000003.1441728545.0000000000A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001B.00000003.1478614064.0000000000AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442891141.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1702929011.0000000000A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: svchost.exe, 00000002.00000002.2419360928.00000295FFC8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicer
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: certutil.exe, 00000004.00000003.1210127605.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001B.00000003.1478614064.0000000000AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/roo
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001B.00000003.1478614064.0000000000AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: nosstarter.npe, 00000018.00000003.1441185131.0000000001239000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441610041.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d45fc49f5ef88
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFA7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFB37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443864099.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443333158.0000000001269000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
            Source: certutil.exe, 00000004.00000002.1211656739.000000006D3C4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000004.00000002.1211772870.000000006D3F9000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000004.00000002.1211551946.000000006D3B3000.00000002.00000001.01000000.00000018.sdmp, certutil.exe, 00000006.00000002.1223318101.000000006D3E4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000006.00000002.1223576007.000000006D419000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000006.00000002.1223147855.000000006D3D3000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
            Source: certutil.exe, 00000004.00000002.1211772870.000000006D3F9000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000006.00000002.1223576007.000000006D419000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.License
            Source: certutil.exe, 00000004.00000002.1211656739.000000006D3C4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000004.00000002.1211551946.000000006D3B3000.00000002.00000001.01000000.00000018.sdmp, certutil.exe, 00000006.00000002.1223318101.000000006D3E4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000006.00000002.1223147855.000000006D3D3000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.http://www.mozilla.org/MPL/
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000000.1149041626.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375020069.0000000000408000.00000002.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000000.1370251300.0000000000408000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443517747.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210325622.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210127605.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001B.00000003.1478614064.0000000000AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1702929011.0000000000A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442325037.0000000005D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443384156.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451467383.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450383369.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://preview.nprotect.net/test/nos_service/win/npcnosc.npx
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://report.nprotect.net/phishingCheck.do
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://report.nprotect.net/phishingCheck.dos_sa
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450383369.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://report.nprotect.net/phishingInfo.do
            Source: nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://report.nprotect.net/phishingInfo.do.
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://report.nprotect.net/phishingInfo.doname=
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443864099.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443212477.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443813711.000000000123B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
            Source: nossvc.exe, 00000017.00000003.1479066249.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1462040398.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl
            Source: nossvc.exe, 00000017.00000003.1479066249.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl.zE
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461810273.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crlA
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crlZ
            Source: nossvc.exe, 00000017.00000003.1462040398.0000000000A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crlfz
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.sy
            Source: nossvc.exe, 00000017.00000003.1462107266.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2029907964.0000000004129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnz
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461810273.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scribe.test.nsrs.net/test.jsp?q=xml
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443813711.000000000123B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1427883974.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1430200229.000000000121A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452329789.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452716442.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
            Source: nossvc.exe, 00000017.00000003.1455451875.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1462040398.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crlO~
            Source: nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crlQ
            Source: nossvc.exe, 00000017.00000003.1462107266.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crltp
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
            Source: nossvc.exe, 00000017.00000003.1455451875.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com:80/sf.crl.
            Source: nossvc.exe, 00000017.00000003.1479201045.0000000004178000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461982408.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1466464690.000000000417D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1454062529.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com
            Source: nossvc.exe, 00000017.00000003.1454062529.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1454062529.0000000004188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8A
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
            Source: nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com1.3.6.1.5.5.7.48.2http://sf.symcb.com/sf.crt
            Source: nossvc.exe, 00000017.00000003.1462107266.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com1.3.6.1.5.5.7.48.2http://sf.symcb.com/sf.crtH
            Source: nossvc.exe, 00000017.00000003.1455008309.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com1.3.6.1.5.5.7.48.2http://sf.symcb.com/sf.crtX
            Source: nossvc.exe, 00000017.00000003.1455008309.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455858007.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com5
            Source: nossvc.exe, 00000017.00000003.1479201045.0000000004178000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461982408.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1466464690.000000000417D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1454062529.0000000004177000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.comFVU
            Source: nossvc.exe, 00000017.00000003.1479201045.0000000004178000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461982408.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1466464690.000000000417D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1454062529.0000000004177000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.comVVE
            Source: nossvc.exe, 00000017.00000003.1455451875.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.comhttp://sf.symcb.com/sf.crl
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.comhttp://sf.symcb.com/sf.crlG-
            Source: nossvc.exe, 00000017.00000003.1479201045.0000000004178000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461982408.0000000004177000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1466464690.000000000417D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1454062529.0000000004177000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.comnV=
            Source: nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/j
            Source: nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1703356202.000000000418A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2361152280.000000000418B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030748134.0000000004124000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478554899.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
            Source: nossvc.exe, 00000017.00000002.2360590554.000000000412C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1701948633.0000000004381000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2352069644.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1427950120.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2361871789.0000000004397000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2029907964.0000000004129000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1703106556.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1427883974.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1430200229.000000000121A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452329789.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452716442.00000000011EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
            Source: nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1703356202.000000000418A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2361152280.000000000418B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crlTL
            Source: nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030748134.0000000004124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crlj
            Source: nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crlk
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crlr
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2360590554.000000000412C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1701948633.0000000004381000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2352069644.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: nossvc.exe, 00000017.00000003.1478668911.000000000418A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479201045.000000000418A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479648111.000000000418B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2360590554.000000000412C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1701948633.0000000004381000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2352069644.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351634519.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1703106556.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com1.3.6.1.5.5.7.48.2http://sv.symcb.com/sv.crt
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com1.3.6.1.5.5.7.48.2http://sv.symcb.com/sv.crtX
            Source: nossvc.exe, 00000017.00000003.1479345639.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com1.3.6.1.5.5.7.48.2http://sv.symcb.com/sv.crtp
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.comhttp://sv.symcb.com/sv.crl
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Ke
            Source: nossvc.exe, 00000017.00000003.1443482515.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443517747.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455008309.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
            Source: nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417297732.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.s5q
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1703106556.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2359988537.0000000004010000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479066249.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1462040398.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2352069644.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1427950120.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479538749.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351634519.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702929011.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1703106556.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1703106556.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://update.nprotect.net/nprotect/nos_service/win/npcnosc.npx
            Source: nosstarter.npe, 00000018.00000003.1451200654.0000000005847000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451223633.0000000005849000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451274456.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451490972.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://update.nprotect.net/nprotect/nos_service/win/npcnosc.npxr
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
            Source: nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443813711.000000000123B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
            Source: nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
            Source: nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
            Source: svchost.exe, 00000008.00000002.1365182204.0000016164E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443813711.000000000123B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
            Source: nossvc.exe, 00000017.00000003.1442255781.00000000041C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
            Source: nossvc.exe, 00000017.00000003.1442255781.00000000041C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443212477.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443813711.000000000123B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005D05000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444039302.0000000005D05000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444411755.0000000005D05000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
            Source: nossvc.exe, 00000017.00000003.1442255781.00000000041C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443212477.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442264504.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509861522.0000000004989000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004DB2000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004D35000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: nossvc.exe, 00000017.00000003.1454062529.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461661421.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702167355.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442674097.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360870987.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
            Source: nossvc.exe, 00000017.00000003.1454062529.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1478668911.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461661421.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702167355.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442674097.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360870987.0000000004172000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442405175.0000000004187000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442264504.0000000005D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
            Source: nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442405175.0000000004187000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443013306.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442264504.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457940475.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466663272.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458083426.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457812005.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.inca.co.kr%r%n-
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
            Source: certutil.exe, 00000004.00000002.1211656739.000000006D3C4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000004.00000002.1211772870.000000006D3F9000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000004.00000002.1211551946.000000006D3B3000.00000002.00000001.01000000.00000018.sdmp, certutil.exe, 00000006.00000002.1223318101.000000006D3E4000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000006.00000002.1223576007.000000006D419000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000006.00000002.1223147855.000000006D3D3000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
            Source: certutil.exe, 00000004.00000002.1211772870.000000006D3F9000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000006.00000002.1223576007.000000006D419000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
            Source: nosstarter.npe, 00000018.00000003.1452503259.0000000001209000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452716442.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452503259.00000000011EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nProtect.co.kr
            Source: nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.0000000006864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nProtect.com
            Source: nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nprotect.com
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
            Source: nossvc.exe, 00000017.00000003.1443449487.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
            Source: nossvc.exe, 00000017.00000003.1442936737.0000000004148000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442457933.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443517747.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443517747.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
            Source: nossvc.exe, 00000017.00000003.1442438215.0000000004182000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442264504.0000000005D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442325037.0000000005D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: nossvc.exe, 00000017.00000003.1443212477.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
            Source: 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.co
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461810273.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1461810273.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442855548.0000000005CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
            Source: nossvc.exe, 00000017.00000003.1443347642.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443484945.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1444487230.000000000125F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443054227.000000000125D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: certutil.exe, 00000004.00000003.1210215410.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210056986.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217051226.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1214351292.0000000001904000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1215678464.0000000001909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451467383.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450383369.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://...
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/auth/api/v1
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452119185.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/auth/api/v1UY
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/report/api/v1
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/report/api/v1y
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/stat/api/v1
            Source: nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bwtd.nprotect2.net/stat/api/v19/Hf
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
            Source: nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cs.nprotect.com/
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cs.nprotect.com/on1d
            Source: 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.sL_zt.
            Source: nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/)
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152220372.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000041F000.00000004.00000001.01000000.0000001D.sdmp, nprotect_install.exe, 00000010.00000002.1378771300.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, nprotect_install.exe, 00000010.00000002.1375063990.000000000042F000.00000004.00000001.01000000.0000001D.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
            Source: 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa
            Source: nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152206250.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152187346.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000003.1152167319.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1715829586.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402199675.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351375295.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402224969.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1402244487.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417260690.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417073540.0000000001202000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1417098843.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
            Source: svchost.exe, 00000008.00000002.1365317815.0000016164E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
            Source: svchost.exe, 00000008.00000003.1364254353.0000016164E6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364328376.0000016164E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365259973.0000016164E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365371478.0000016164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364594662.0000016164E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364420088.0000016164E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365419846.0000016164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000008.00000003.1364254353.0000016164E6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365419846.0000016164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000008.00000002.1365396870.0000016164E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364306898.0000016164E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000008.00000003.1364163200.0000016164E75000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365446661.0000016164E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000008.00000003.1364328376.0000016164E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365371478.0000016164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365211418.0000016164E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364594662.0000016164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000008.00000002.1365211418.0000016164E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365396870.0000016164E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364306898.0000016164E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000008.00000003.1364328376.0000016164E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365371478.0000016164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365211418.0000016164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000008.00000002.1365259973.0000016164E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000008.00000003.1364328376.0000016164E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365371478.0000016164E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000008.00000003.1364672306.0000016164E32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000008.00000003.1364328376.0000016164E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365371478.0000016164E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000008.00000002.1365259973.0000016164E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364420088.0000016164E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000008.00000002.1365419846.0000016164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000008.00000003.1364142482.0000016164E36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
            Source: svchost.exe, 00000008.00000002.1365211418.0000016164E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1365396870.0000016164E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364306898.0000016164E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFB4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAD3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1203546895.00000295FFAF2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1203546895.00000295FFB37000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1203546895.00000295FFB24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
            Source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://http://258EAFA5-E914-47DA-95CA-C5AB0DC85B11REPORTCONNECTOPTIONSPOSTGET._-$
            Source: nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.co
            Source: nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/ind3eKf.
            Source: nosstarter.npe, 00000018.00000003.1456725343.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456923104.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456668701.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457555058.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456031834.00000000057AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.h
            Source: nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html#
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457418212.000000000653E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html$
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html%
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html&
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html.
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459059112.000000000652C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html/
            Source: nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html/b
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452119185.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html0a3a6
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457418212.000000000653E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html2
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459059112.000000000652C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html3
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457418212.000000000653E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html4
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html6
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html7
            Source: nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html:
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html;
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html=
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlA
            Source: nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlB
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlEs
            Source: nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlL
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlM
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457418212.000000000653E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457326600.000000000652C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlP
            Source: nosstarter.npe, 00000018.00000003.1459059112.000000000652C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlQ
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlR
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlS
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlU
            Source: nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459116625.0000000005886000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458601783.0000000005877000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlZ
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlc
            Source: nosstarter.npe, 00000018.00000003.1528304992.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535406196.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458869103.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466441636.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmldb(
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmle
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmless3
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlg
            Source: nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459116625.0000000005886000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458601783.0000000005877000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlh
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmli
            Source: nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlj
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlk
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlo
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlp
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlq
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmls
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlu
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlv
            Source: nosstarter.npe, 00000018.00000003.1455643777.0000000006512000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459059112.000000000652C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455452065.00000000064BF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457127056.0000000006525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlw
            Source: nosstarter.npe, 00000018.00000003.1459059112.000000000652C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmly
            Source: nosstarter.npe, 00000018.00000003.1528304992.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535406196.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458869103.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466441636.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmly(ef
            Source: nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458869103.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466441636.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.htmlz
            Source: nosstarter.npe, 00000018.00000003.1458985543.000000000651B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458722793.0000000006515000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1459023574.0000000006535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nprotect.com/kr/index.html~
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.do
            Source: nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.do302bcc11r
            Source: nosstarter.npe, 00000018.00000003.1451247558.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.000000000583D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458310563.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455063493.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453633835.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455994660.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.doanupp
            Source: nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.donpo
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528304992.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457164323.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535406196.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456725343.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456923104.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457555058.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456668701.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457366491.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456031834.00000000057AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.dorotec
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528304992.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457164323.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535406196.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456725343.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456923104.00000000057C9000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457555058.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456668701.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457366491.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456031834.00000000057AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.dos
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsrs.nprotect.net/nosCollection.dostall
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443689068.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
            Source: svchost.exe, 00000002.00000003.1203546895.00000295FFAA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457940475.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466663272.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458083426.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457812005.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onlinesecurity.nprotect.com%r%n-
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451467383.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450383369.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://report.nprotect.net/phishingInfo.do
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442325037.0000000005D08000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452619968.0000000005D0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
            Source: nosstarter.npe, 00000018.00000003.1451247558.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455063493.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453633835.000000000583C000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.check
            Source: nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.check1
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.check_force
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452119185.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.checknsta
            Source: nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453633835.000000000583C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.service
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/nos.serviceOk
            Source: nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1476199241.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1471184504.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1470808278.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B94000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B6A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1477490669.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1470472311.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469383746.0000000004B6A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469500309.0000000004B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows/install/updateparam.dat
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555470861.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1554669670.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541206634.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485376834.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363393969.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550487263.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483915358.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1476199241.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541935307.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509330829.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483035968.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555349951.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1545688180.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483794897.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1551164851.0000000004BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows/install/updateparam.dattM7
            Source: nprotect_install.exe, 00000010.00000002.1378771300.00000000027F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows/nos_param.datnos_param.dat$moddir$
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/custom/nosbank/p_nosbank.dat
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/custom/nosbank/p_nosbank.datb
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450383369.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/apsffsetup30.exe
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/apsffsetup30.exe:
            Source: nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/apsffsetup30.exeeckStatus
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/apsffsetup30.exeint
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/apsffsetup31.exe
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/npscanupprm.dat
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.0000000005800000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450576993.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450329180.00000000057A2000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450613276.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/install/npsttupprm.dat
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/npcnosc.npx
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.nprotect.net/nprotect/nos_service/windows7/npcnosc.npxy
            Source: nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.tachyonlab.com/NOS/NOS10/ixUpdCnf.ixp.ixz
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466310010.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456561235.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451727260.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451820868.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457255276.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457024683.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456860836.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456372215.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455921565.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdate.tachyonlab.com/NOS/NOS10/ixUpdCnf.ixp.ixzt
            Source: nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453549700.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdated.nprotect.net/nprotect/nos_service/nos.service
            Source: nosstarter.npe, 00000018.00000003.1529920094.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455859418.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1530546030.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1535524912.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527424251.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1455764742.000000000584E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458134369.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.0000000005856000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458496813.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1534409898.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458265048.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458337974.0000000005856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdated.nprotect.net/nprotect/nos_service/nos.service_j
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supdated.nprotect.net/nprotect/nos_service/windows/install/nos_setup.exenossvc.exenosstarter
            Source: svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000008.00000003.1364631103.0000016164E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000008.00000003.1364142482.0000016164E36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000008.00000002.1365211418.0000016164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000008.00000002.1365317815.0000016164E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1364462632.0000016164E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
            Source: nossvc.exe, 00000017.00000003.1442461488.0000000004152000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442369222.0000000005CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
            Source: nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457940475.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1466663272.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458463354.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458083426.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458633998.00000000057F6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1457812005.0000000006380000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458755942.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458180789.00000000057DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.15660808.co.kr%r%nCopyright
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443059043.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1442988567.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
            Source: nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
            Source: nossvc.exe, 00000017.00000003.1442328508.0000000004175000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1702852169.0000000004179000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363777300.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.00000000101C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: nosstarter.npe, 00000018.00000003.1442264504.0000000005D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
            Source: nosstarter.npe, 00000018.00000003.1443094814.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
            Source: nossvc.exe, 00000017.00000003.1442367884.000000000416A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442290843.0000000005CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownHTTPS traffic detected: 61.111.25.114:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.196.243.115:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 3.39.42.215:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 43.200.91.241:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.196.243.115:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950ABJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.catJump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile created: C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cerJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFWFV64.catJump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92FJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\dc-rootca.cerJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\Thawte.cerJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\tkfwfvarm64.catJump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5DJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\digi_trust.cerJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cerJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.catJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV64.catJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\Root Certification Authority.cerJump to dropped file

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Writes many files with high entropy
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_meritzfire.npx entropy: 7.99191483751Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TYAVPU_000.bin entropy: 7.99981037213Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TYAVP_001.bin entropy: 7.99947227106Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TYAVSU_000.bin entropy: 7.9992487893Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_samsunglife_ga.npx entropy: 7.99674487681Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_bemy_koscom.npx entropy: 7.9967725935Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_bemyunicorn.npx entropy: 7.99601656585Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_fundkoscom.npx entropy: 7.99677674012Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npsmsgbox.npx entropy: 7.99146323678Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_kasset.npx entropy: 7.99645192475Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_kdbdw.npx entropy: 7.99100403152Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npsscanner.npx entropy: 7.99215126574Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npsstt.npx entropy: 7.99869886162Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npssttmsgbox.npx entropy: 7.99411118454Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_sks.npx entropy: 7.99715506195Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_wtskoscom.npx entropy: 7.9965102273Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_flab_hanwha.npx entropy: 7.99621178806Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_keris.npx entropy: 7.99716006547Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_keris_childneis.npx entropy: 7.99633581464Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_neis_keris.npx entropy: 7.99740829782Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_neis_public.npx entropy: 7.99710897238Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_hana_life.npx entropy: 7.99659824053Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\npx\npcUnInstallPolicy.npx entropy: 7.99460546721Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_bithumb.npx entropy: 7.99652376507Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_cmid.npx entropy: 7.99646903698Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TYAVPU_000.bin entropy: 7.99981037213Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TYAVP_001.bin entropy: 7.99947227106Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TYAVSU_000.bin entropy: 7.9992487893Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_kindkrx.npx entropy: 7.99655148148Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcprotectpidallowlist.npx entropy: 7.99678158563Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcrtddriver.npx entropy: 7.99652812418Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcstt.npx entropy: 7.99847781857Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcsttmsgbox.npx entropy: 7.99756241074Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcsvc.npx entropy: 7.99801571943Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplfw.npx entropy: 7.99799065891Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplnpn.npx entropy: 7.9993369406Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplnpnuamsgbox.npx entropy: 7.9959948926Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplrtd.npx entropy: 7.99318520441Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplscanner.npx entropy: 7.99088367296Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplstt.npx entropy: 7.99944825448Jump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskes.npx entropy: 7.99394217321Jump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99602810784Jump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcstt.npx.bak entropy: 7.99847781857Jump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99602810784Jump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeFile created: C:\Users\user\AppData\LocalLow\Temp\nos\drv\kc\noskes.dll.nz entropy: 7.99903298526Jump to dropped file

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyav32u.dll, type: DROPPEDMatched rule: Gandcrab Payload Author: kevoreilly
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKIdsVt.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwvt.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKTool2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKTool2k64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKIdsVt64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noska.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck32s.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck64s.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkakl.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkfxa.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrl2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrlU.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFW.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.catJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.infJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWU.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwflt.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwfltU.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkids.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkidsxU.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg.exeJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg64.exeJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKCtrl2k64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKFWFV.infJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKFWFV64.catJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKFWFV64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\tkfwvt64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAv.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFt.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtCb.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtHk.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAc2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFt2k.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtXp.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKToolu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKFsAv64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKFsFt64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKPcFtCb64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKPcFtHk64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKRgAc2k64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\system32\TKRgFtXp64.sysJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAvMu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFtMu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAcu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtu.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\Downloaded Program Files\nosxplatform.ocxJump to behavior
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\nProtect\
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\nProtect\Log
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_7B515E7EBE66B3EE73F637DB4EAC6498
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_7B515E7EBE66B3EE73F637DB4EAC6498
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A89DFCC31C360BA5CBD616749B1B1C5D
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5D
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_57A2C0279A08627E11FF1DF2980084B2
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_57A2C0279A08627E11FF1DF2980084B2
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile deleted: C:\Windows\SysWOW64\noskp64.sysJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Load Driver
            Source: noskp.sys.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: nosku.sys.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll0.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll0.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: noskp.sys0.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: nosku.sys0.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll1.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: TKFWU.dll1.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametkidsP vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametknetcfg.exeL vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKFsAv.sys\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKFsFt.syst* vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKPcFtCb.syst* vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKPcFtHk.syst* vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKRgAc2k.sysn' vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKRgFtXp.sysr) vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpacr_32(64).dllB vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNOSKES.DLL\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNOSKE64.EXE\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .$sysx86$INCA Internet Co.,Ltd.INCA Internet. Co., Ltd.INCA INTERNET CO., LTD.FileDescriptionFileVersionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionControl Panel\Desktop\PreferredUILanguagesGetSystemPreferredUILanguagesGetUserPreferredUILanguagesGetProcessPreferredUILanguagesGetThreadPreferredUILanguages vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenosxplatform.ocx: vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1722217853.0000000010086000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamenpeNSISUtil.dll8 vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000000.1149062043.0000000000456000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenProtectOnlineSecurity.exe\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1722033622.000000001005C000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: .FileDescriptionFileVersionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionControl Panel\Desktop\PreferredUILanguagesGetSystemPreferredUILanguagesGetUserPreferredUILanguagesGetProcessPreferredUILanguagesGetThreadPreferredUILanguages` vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.000000000293C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpamgr_32(64).exeB vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKFW.dllx, vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametkfwflt.sys^ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKRgAc2k.sysn' vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKRgFtXp.sysr) vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametkfwflt.dll|. vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenprotect_install.exe\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .FileDescriptionFileVersionCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionControl Panel\Desktop\PreferredUILanguagesGetSystemPreferredUILanguagesGetUserPreferredUILanguagesGetProcessPreferredUILanguagesGetThreadPreferredUILanguagesT vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1722819701.000000006ED0A000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameGetVersion.dllP vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpamgr_32(64).exeB vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpasdk.dllB vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKTool.dllp( vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.000000000286C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpacr_32(64).dllB vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKRgFt2k.sys^ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKFsAv.sys\ vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKFsFt.syst* vs 5rh5u9yBNf.exe
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTKPcFtCb.syst* vs 5rh5u9yBNf.exe
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\np_ck64s
            Source: 5rh5u9yBNf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyav32u.dll, type: DROPPEDMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
            Source: npasdk.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: noskm.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: npasdk.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: noskm.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: classification engineClassification label: mal76.rans.phis.troj.spyw.evad.winEXE@82/641@6/5
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternetJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journalJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\{CA64AC42-9D4F-4801-B139-A51FA069EE90}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:756:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeMutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagIEBJEFAAIDHBAAAA
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagIHPEDHAAAAJAAAAA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeMutant created: \Sessions\1\BaseNamedObjects\N
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\Global\{0B66E6B9-5ED4-46d1-A6B7-18458DC10D1F}
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeMutant created: \BaseNamedObjects\npLog::logWrite_C:`Windows`system32`config`systemprofile`AppData`LocalLow`nProtect`Log`nossvc.exe.npo
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeMutant created: \BaseNamedObjects\Global\{19B85610-CE9F-4211-B358-30F2CADBC99B}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\npLog::logWrite_C:`Users`user`AppData`LocalLow`nProtect`Log`nosstarter.npe.npo
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2104:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeMutant created: \Sessions\1\BaseNamedObjects\npLog::logWrite_C:`Users`user`AppData`LocalLow`nProtect`Log`npupdatec.exe.log
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeMutant created: \Sessions\1\BaseNamedObjects\npupdate_prdt_nos
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeMutant created: \BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagILBLLEAAMOMBAAAA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\Global\{8F786970-6F0D-4D0C-AF51-15D35A19A0D5}
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\Global\{C7F0ECD1-6F1D-48F6-9C50-390507D0E72A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeMutant created: \Sessions\1\BaseNamedObjects\npLog::logWrite_C:`Users`user`AppData`LocalLow`nProtect`Log`npupdatec.log
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\Global\{EA3FC533-9ACA-4130-AF6C-00AE66299927}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagADLGNAABAAJAAAAA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4480:120:WilError_03
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMutant created: \Sessions\1\BaseNamedObjects\Global\{6FFDA032-E224-498f-B462-B7840D8DFF04}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3884:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nshB775.tmpJump to behavior
            Source: 5rh5u9yBNf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ProcessorId from Win32_Processor
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a80, a102, a11, a81, a82, a101 FROM nssPublic where id=$ID LIMIT 1;`
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a80, a102, a11, a81, a82, a101 FROM nssPublic where id=$ID LIMIT 1;d
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a80, a102, a11, a81, a82, a101 FROM nssPublic where id=$ID LIMIT 1;
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a80, a102, a11, a81, a82, a101 FROM nssPublic where id=$ID LIMIT 1;X
            Source: certutil.exe, 00000004.00000003.1209864551.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1211189492.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000003.1210036825.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a80, a102, a11, a81, a82, a101 FROM nssPublic where id=$ID LIMIT 1;8
            Source: certutil.exe, 00000006.00000002.1218683751.0000000000CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a1, a3 FROM nssPublic where id=$ID LIMIT 1;
            Source: certutil.exe, 00000004.00000002.1211009281.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a102, a0 FROM nssPublic where id=$ID LIMIT 1;
            Source: certutil.exe, 00000004.00000002.1211009281.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM nssPrivate WHERE a102=$DATA0 AND a0=$DATA1;
            Source: certutil.exe, 00000006.00000002.1218683751.0000000000CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a1, a3 FROM nssPublic where id=$ID LIMIT 1;,a2
            Source: certutil.exe, 00000006.00000003.1218458554.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.1218742961.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217958399.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData LIMIT 0;
            Source: certutil.exe, 00000006.00000002.1218683751.0000000000CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT DISTINCT a1, a3 FROM nssPublic where id=$ID LIMIT 1;1;
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile read: C:\Users\user\Desktop\5rh5u9yBNf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\5rh5u9yBNf.exe "C:\Users\user\Desktop\5rh5u9yBNf.exe"
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" control nossvc 200
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -A -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe" /T:c:\temp
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" description "nossvc" "nProtect Online Security(PFS)"
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start "nossvc"
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe" /SVC
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Updater" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" description="nProtect Online Security Updater" dir=Out action=allow protocol=any enable=yes profile=any
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" h8kz9q
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" https://supdated.nprotect.net/nprotect/nos_service/windows7/install/npsttupprm.dat`nos`p`ru:nos`
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" control nossvc 200Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -A -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=anyJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe" /T:c:\tempJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= autoJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" description "nossvc" "nProtect Online Security(PFS)"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start "nossvc"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SETJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Updater" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" description="nProtect Online Security Updater" dir=Out action=allow protocol=any enable=yes profile=any
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" h8kz9q
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" https://supdated.nprotect.net/nprotect/nos_service/windows7/install/npsttupprm.dat`nos`p`ru:nos`
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nssutil3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: ssl3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: smime3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nssutil3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: ssl3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: smime3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: wtsapi32.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: netapi32.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: samcli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: wkscli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ntmarta.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: cryptnet.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: webio.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: cabinet.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: winsta.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSection loaded: devobj.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: msimg32.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: oledlg.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wtsapi32.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: version.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: netapi32.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: samcli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wkscli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: riched20.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: usp10.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: msls31.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ntmarta.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: cryptnet.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: webio.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: cabinet.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: winsta.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: uiautomationcore.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: sxs.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: windowscodecs.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: urlmon.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: srvcli.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: schannel.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: mskeyprotect.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ntasn1.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: dpapi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ncrypt.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: ncryptsslp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: textshaping.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: textinputframework.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: coreuicomponents.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: coremessaging.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: oleacc.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: tkctrlu.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: devobj.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: wbemcomn.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: amsi.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nssutil3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: ssl3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: smime3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: sqlite3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nssutil3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: ssl3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: smime3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: vcruntime140.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libnspr4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplc4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: libplds4.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeSection loaded: winmm.dll
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWindow detected: Number of UI elements: 17
            Source: 5rh5u9yBNf.exeStatic PE information: certificate valid
            Source: 5rh5u9yBNf.exeStatic file information: File size 28333400 > 1048576
            Source: 5rh5u9yBNf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\SVN\TKFWFLT\branches\IF1_RB-2012.01.05.01\Dll\tkfwflt\ReleaseU\tkfwfltU_dll.pdb`_ source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\i386\TKFsAv.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002742000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Source\ASC20\Exe\ixNpamgr\Release\npamgr_32.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\exe\noske64\release\noske64.pdb` source: nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskes\release\noskes.pdbd source: nossvc.exe, 00000017.00000003.1484957568.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npeNSISUtil\build\bin\release\npeNSISUtil.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1722033622.000000001005C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npefuncmgr\build\bin\release\npefuncmgr.pdb source: nosstarter.npe, 00000018.00000003.1524596028.000000000667E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1524736318.000000000677E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskm\release\noskm.pdb source: nosstarter.npe, 00000018.00000003.1540969221.0000000010160000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1540969221.0000000010101000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nProtectZ\tool\npDownTool\build\bin\release\nos_launcher.pdb source: nprotect_install.exe, 00000010.00000002.1378771300.00000000027F4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Source\ASC20\Exe\ixNpamgr\Release\npamgr_64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002943000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\ENGDEV_0606_TKRGFT\trunk\1.0\bin\free\i386\TKRgFtXp.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\hudson\worksp~1\enae3d~1.0\trunk\bin\free\i386\TKPcFtCb.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npestarter2\build\bin\release\nosstarter.pdb source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \Windows\dll\bin\Release\np_cu_f.pdb source: nossvc.exe, 00000017.00000002.2365035813.000000006C936000.00000002.00000001.01000000.00000021.sdmp
            Source: Binary string: h:\17440~1.wor\2ada3~1.sou\engdev~3\branches\if2e25~1.01_\bin\free\amd64\TKPcFtHk64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0904_tkpcft\trunk\1.0\bin\free\i386\TKPcFtHk.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0605_tkrgac\trunk\1.0\bin\free\i386\TKRgAc2k.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0606_tkrgft\trunk\1.0\bin\free\amd64\TKRgFtXp64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0801_tkfw\trunk\2.0\dll\tkfw\releaseu\TKFWU_dll.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0608_tkfsft\trunk\2.0\bin\free\amd64\TKFsFt64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0605_tkrgac\trunk\1.0\bin\free\amd64\TKRgAc2k64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\x64\Release\tknetcfg64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E<d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\amd64\TKFsAv64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\projec~1\en800b~1\branches\if1_rb~3.01_\bin\free\i386\tkids.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E67000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nppb\release\nppb.pdb source: nossvc.exe, 00000017.00000003.1427883974.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452329789.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1430200229.000000000120C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npesvc60\build\bin\release\nossvc.pdb`K( source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\TKFWFLT\branches\IF1_RB-2012.01.05.01\Dll\tkfwflt\ReleaseU\tkfwfltU_dll.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\Release\Win32\tknetcfg.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\worksp~1\engdev~4.0\trunk\bin\free\i386\TKRgFt2k.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpasdk\Release\npasdk.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000029C4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\PROJEC~2\EN8FAA~1\branches\IF1_RB~3.01_\bin\free\i386\tkfwflt.pdb# source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\nProtectUninstaller\build\bin\release\nProtectUninstaller.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\exe\noske64\release\noske64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpacr\Release\npacr_32.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0608_tkfsft\trunk\2.0\bin\free\i386\TKFsFt.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_build\nProtectZ\product\npn60\nossdk\nosxplatform\build\bin\release\nosxplatform.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Source\NOSK\dll\noskes\release\noskes.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484957568.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1484834134.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npEngine\npefsav\build\bin\release\npefsav.pdb source: nossvc.exe, 00000017.00000003.1509624907.0000000004688000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2364437310.0000000010079000.00000002.00000001.01000000.00000026.sdmp, nossvc.exe, 00000017.00000003.1509861522.00000000048C7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\agent\_work\3\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: certutil.exe, 00000004.00000002.1211448695.000000006D391000.00000020.00000001.01000000.00000019.sdmp, certutil.exe, 00000006.00000002.1222750264.000000006D3B1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npestarter2\build\bin\release\nosstarter.pdb source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0904_tkpcft\trunk\1.0\bin\free\amd64\TKPcFtCb64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\project\nos-d\engdev_0609_tkfsav\trunk\2.0\bin\free\amd64\TKFsAv64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\Release\Win32\tknetcfg.pdb@<Hq source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e:\PROJEC~2\EN8FAA~1\branches\IF1_RB~3.01_\bin\free\i386\tkfwflt.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E15000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\001_Work\nProtectZ\product\npn60\npesvc60\build\bin\release\nossvc.pdb source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Project\ENGDEV_0607_TKTOOL\trunk\1.0\dll\TKTool\x86\ReleaseU\TKToolU.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002812000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\SVN\ENGDEV_0803_TKFWFLT\branches\IF1_RB-2010.03.16.01\App\TKNetCfg\x64\Release\tknetcfg64.pdb! source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Build\ASC20\Acs20pkg\Dll\ixNpacr\Release\npacr_64.pdb source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002871000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: Process Memory Space: 5rh5u9yBNf.exe PID: 7780, type: MEMORYSTR
            Source: noskes64.dll.0.drStatic PE information: real checksum: 0xb6183 should be: 0xaf9c2
            Source: GetVersion.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3197
            Source: npeNSISUtil.dll.0.drStatic PE information: real checksum: 0x9ab9b should be: 0x9a390
            Source: nsDialogs.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa2f2
            Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x82fd
            Source: noskfx.dll.0.drStatic PE information: real checksum: 0x75384 should be: 0x7ecfb
            Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xcd74
            Source: BWT.dll.0.drStatic PE information: real checksum: 0x54365 should be: 0x48b91
            Source: noskfx64.dll.0.drStatic PE information: real checksum: 0xbe3bd should be: 0xbecd5
            Source: UserInfo.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xaaa4
            Source: npacr_32.dll.0.drStatic PE information: section name: .SHARE_N
            Source: npacr_64.dll.0.drStatic PE information: section name: .SHARE_N
            Source: npamgr_32.exe.0.drStatic PE information: section name: .SHARE_N
            Source: npamgr_64.exe.0.drStatic PE information: section name: .SHARE_N
            Source: TKFWU.dll.0.drStatic PE information: section name: Shared
            Source: tkfwfltU.dll.0.drStatic PE information: section name: Shared
            Source: tkidsxU.dll.0.drStatic PE information: section name: Shared
            Source: TKFWU.dll0.0.drStatic PE information: section name: Shared
            Source: tkfwfltU.dll0.0.drStatic PE information: section name: Shared
            Source: tkidsxU.dll0.0.drStatic PE information: section name: Shared
            Source: TKFWU.dll1.0.drStatic PE information: section name: Shared
            Source: tkfwfltU.dll1.0.drStatic PE information: section name: Shared
            Source: tkidsxU.dll1.0.drStatic PE information: section name: Shared
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1

            Persistence and Installation Behavior

            barindex
            Creates a FSFilter Anti-Virus service
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TKFsFtM\Instances\TKFsFtM Altitude
            Creates files in the system32 config directory
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo
            Installs new ROOT certificates
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C6DFA1ED61736476EDA0364D132A786CF3D3475 BlobJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 BlobJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 BlobJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C6DFA1ED61736476EDA0364D132A786CF3D3475 Blob
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Blob
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Blob
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKToolU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TySUtilu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\tktool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkfxa.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFWVT64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAc2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskre64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwvt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npacr_32.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyavexcept.binJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\7z.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFW.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npebsc20.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npasdk.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcv.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npesm.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\np_ck32s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\libplc4.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkakl.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosksdk64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noske64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKCtrl2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskes64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\NpBWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefuncmgr.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\BwtTrust.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npealert.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\tyav32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKSPXP64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrl.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck64s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtHk64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\tyavexcept.binJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npacr_64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\nProtectUninstaller.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKToolu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noska.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npamgr_32.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFtXp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskkbd.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nos_launcher.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\GetVersion.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosscanner.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefsav.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtHk.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefw.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\BwtTrust.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\tkfwvt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKIdsVt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosapp64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKIdsVt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npsf.npbJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noska.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TeCtrl.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskne64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TySUtilu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwflt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwflt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npamgr_64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtXp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcp.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsFt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtCb.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKToolU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certmgr.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\nsDialogs.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\NpBWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrl2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKNetCfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskre.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFW.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtCb.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskes.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcv64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\INICRYPTOSDK.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKNetCfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwvt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFt2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskfx.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\np_ck64s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck32s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\NpHttpsLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkids.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\NpHttpsLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosku.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrlu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAv.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\tkfwvt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFt2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskne.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nssckbi.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TkPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosuseractor.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\BWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\libnspr4.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsAv.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgAc2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyav32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\Downloaded Program Files\nosxplatform.ocxJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkids.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npslm20.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npkakl.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npertd.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npeurlmon.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\ssl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk64.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosksdk.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\libplds4.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtHk.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKCtrlU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrlU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nssutil3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npeNSISUtil.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskm.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKCtrlU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\UserInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\BWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosapp.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKToolu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npkfxa.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskfx64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKPcFtHk64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\smime3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TeCtrlu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck64s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkfxa.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtXp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtCb.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgAc2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwvt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKToolu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkids.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\Downloaded Program Files\nosxplatform.ocxJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrl2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFW.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKPcFtHk.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKIdsVt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\npkakl.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\noska.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\np_ck32s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKCtrlU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFWFV.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsAv.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\tkfwvt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKRgFt2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tknetcfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\tkfwflt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\SysWOW64\TKFsFt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Windows\System32\TKPcFtHk64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosscanner.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk64.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosuseractor.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npealert.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npebsc20.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefsav.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefuncmgr.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefw.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npertd.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npesm.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npeurlmon.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npsf.npbJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npslm20.npdJump to dropped file
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nosku
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\INCAInternetJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\INCAInternet\nProtect Online Security V1.0.lnkJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" control nossvc 200

            Hooking and other Techniques for Hiding and Protection

            barindex
            May modify the system service descriptor table (often done to hook functions)
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsxB7D4.tmp, type: DROPPED
            Query firmware table information (likely to detect VMs)
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSystem information queried: FirmwareTableInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSystem information queried: FirmwareTableInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSystem information queried: FirmwareTableInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSystem information queried: FirmwareTableInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSystem information queried: FirmwareTableInformation
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile opened: HKEY_USERS.DEFAULT\Software\Wine
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile opened: HKEY_CURRENT_USER\Software\Wine
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 4CDD2B second address: 4CDD30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 64EDCA second address: 64EDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 64EDD0 second address: 64EDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 64EDD6 second address: 64EDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671BFA second address: 671C08 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB14C7341B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671C08 second address: 671C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB14CFE7C16h 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671C12 second address: 671C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671C16 second address: 671C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14CFE7C1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FB14CFE7C1Ch 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671C3D second address: 671C4E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB14C7341B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671C4E second address: 671C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66F9DE second address: 66FA0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C0h 0x00000007 jmp 00007FB14C7341C8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FA0E second address: 66FA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FA12 second address: 66FA2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FB7E second address: 66FB9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14CFE7C24h 0x00000008 jnp 00007FB14CFE7C16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FB9D second address: 66FBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FB14C7341BEh 0x0000000b jc 00007FB14C7341B6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jc 00007FB14C7341C7h 0x0000001c jmp 00007FB14C7341C1h 0x00000021 push esi 0x00000022 push esi 0x00000023 pop esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FD6F second address: 66FD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 66FD75 second address: 66FD82 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB14C7341B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67006F second address: 670073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6701CA second address: 6701CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67060A second address: 67060F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67131A second address: 67133F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB14C7341C8h 0x00000008 jnp 00007FB14C7341B6h 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6714EB second address: 671507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jc 00007FB14CFE7C25h 0x0000000d jmp 00007FB14CFE7C1Dh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671507 second address: 671549 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB14C7341D1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB14C7341C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 671549 second address: 67154D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 641D2C second address: 641D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 675421 second address: 67542B instructions: 0x00000000 rdtsc 0x00000002 js 00007FB14CFE7C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67542B second address: 67544D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB14C7341C9h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 63B1E9 second address: 63B1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 63B1ED second address: 63B208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AC6F second address: 67AC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AC74 second address: 67AC79 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AC79 second address: 67AC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007FB14CFE7C16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AC8B second address: 67AC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AC95 second address: 67ACDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b jnc 00007FB14CFE7C18h 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 jns 00007FB14CFE7C32h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007FB14CFE7C1Ch 0x00000026 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67ACDF second address: 67ACE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AF02 second address: 67AF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67AF06 second address: 67AF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14C7341C7h 0x00000008 jmp 00007FB14C7341BEh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67DFE4 second address: 67DFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67DFE8 second address: 67E00E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB14C7341C5h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67E00E second address: 67E024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14CFE7C21h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67E024 second address: 67E02A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67E02A second address: 67E046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jmp 00007FB14CFE7C1Eh 0x00000012 pop esi 0x00000013 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67E67E second address: 67E685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67EDAC second address: 67EDB6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB14CFE7C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67EDB6 second address: 67EDC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341BDh 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67EDC7 second address: 67EDCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67EE50 second address: 67EE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67F3C2 second address: 67F40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB14CFE7C24h 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D17DDh], ecx 0x00000013 xchg eax, ebx 0x00000014 push edx 0x00000015 jmp 00007FB14CFE7C1Fh 0x0000001a pop edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB14CFE7C22h 0x00000023 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 67F8C3 second address: 67F8F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB14C7341CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007FB14C7341CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB14C7341BBh 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6801B7 second address: 6801BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6801BB second address: 680221 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB14C7341B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FB14C7341B8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 jns 00007FB14C7341B6h 0x0000001c pop ecx 0x0000001d jmp 00007FB14C7341BCh 0x00000022 popad 0x00000023 nop 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007FB14C7341B8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e push 00000000h 0x00000040 and si, 7D19h 0x00000045 push 00000000h 0x00000047 mov di, si 0x0000004a xchg eax, ebx 0x0000004b jnp 00007FB14C7341C4h 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 680221 second address: 680225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 680225 second address: 680230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 680A5D second address: 680A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FB14CFE7C1Ch 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FB14CFE7C22h 0x00000016 pop ebx 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6816FC second address: 681700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 681700 second address: 681706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 683895 second address: 683899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 683899 second address: 6838A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB14CFE7C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 684B2E second address: 684B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007FB14C7341C4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 684B40 second address: 684B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 687046 second address: 687094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB14C7341BDh 0x0000000a popad 0x0000000b nop 0x0000000c sub ebx, 3651B3C8h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FB14C7341B8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e sub ebx, dword ptr [ebp+122D2C8Eh] 0x00000034 push 00000000h 0x00000036 sub ebx, dword ptr [ebp+122D2BAAh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 pop eax 0x00000043 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6880CA second address: 6880CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6872B2 second address: 6872B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6880CF second address: 6880D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 688FCB second address: 688FE7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB14C7341C3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6882B5 second address: 6882B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 688FE7 second address: 68905C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FB14C7341B8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov di, CFCEh 0x00000027 cld 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FB14C7341B8h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov ebx, dword ptr [ebp+122D233Eh] 0x0000004a push 00000000h 0x0000004c mov edi, 07C54B3Fh 0x00000051 xchg eax, esi 0x00000052 jmp 00007FB14C7341BFh 0x00000057 push eax 0x00000058 jl 00007FB14C7341C0h 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6882B9 second address: 6882C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68916E second address: 689172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68AFA5 second address: 68AFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 689172 second address: 689229 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB14C7341B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx edi, cx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 sub dword ptr [ebp+12469351h], esi 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FB14C7341B8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f ja 00007FB14C7341BCh 0x00000045 mov eax, dword ptr [ebp+122D03A5h] 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e call 00007FB14C7341B8h 0x00000053 pop eax 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc eax 0x00000061 push eax 0x00000062 ret 0x00000063 pop eax 0x00000064 ret 0x00000065 sbb edi, 08C67C70h 0x0000006b push FFFFFFFFh 0x0000006d sbb bx, 4B00h 0x00000072 and di, 70DAh 0x00000077 nop 0x00000078 jnl 00007FB14C7341D0h 0x0000007e push eax 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 je 00007FB14C7341B6h 0x00000088 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68AFA9 second address: 68AFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68AFAF second address: 68AFC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14C7341BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68AFC2 second address: 68AFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+12456308h], ecx 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 mov dword ptr [ebp+122D1A81h], edx 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c and edi, 4766A1BFh 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB14CFE7C20h 0x0000002c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68AFF9 second address: 68B00D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68BFCF second address: 68C047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB14CFE7C16h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push edx 0x00000012 xor di, 5067h 0x00000017 pop ebx 0x00000018 jmp 00007FB14CFE7C23h 0x0000001d push 00000000h 0x0000001f sub dword ptr [ebp+122D23E7h], edx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007FB14CFE7C18h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 sub edi, dword ptr [ebp+122D28D5h] 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d jmp 00007FB14CFE7C27h 0x00000052 popad 0x00000053 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68D126 second address: 68D12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68D12A second address: 68D1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB14CFE7C21h 0x0000000c jmp 00007FB14CFE7C1Bh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jng 00007FB14CFE7C1Ch 0x0000001b mov dword ptr [ebp+122D2902h], esi 0x00000021 mov dword ptr [ebp+122D36F3h], ebx 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a call 00007FB14CFE7C24h 0x0000002f mov edx, 32168826h 0x00000034 pop eax 0x00000035 jp 00007FB14CFE7C1Ch 0x0000003b popad 0x0000003c push 00000000h 0x0000003e mov bx, EE27h 0x00000042 xchg eax, esi 0x00000043 push ecx 0x00000044 jmp 00007FB14CFE7C1Ch 0x00000049 pop ecx 0x0000004a push eax 0x0000004b je 00007FB14CFE7C28h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68D1A1 second address: 68D1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E046 second address: 68E04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E04E second address: 68E052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E052 second address: 68E0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FB14CFE7C18h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 sub bl, 0000001Fh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FB14CFE7C18h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 call 00007FB14CFE7C26h 0x00000048 mov dword ptr [ebp+12456308h], edi 0x0000004e pop edi 0x0000004f push eax 0x00000050 je 00007FB14CFE7C33h 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FB14CFE7C21h 0x0000005d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68FED4 second address: 68FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB14C7341B6h 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E218 second address: 68E225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E225 second address: 68E22B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E22B second address: 68E230 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E230 second address: 68E2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D21A0h] 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FB14C7341B8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D221Fh], ebx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov edi, 1D1BD354h 0x00000041 mov eax, dword ptr [ebp+122D0AFDh] 0x00000047 and ebx, dword ptr [ebp+122D2A92h] 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007FB14C7341B8h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 and edi, dword ptr [ebp+122D2BCEh] 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 68E2AD second address: 68E2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 691F9E second address: 691FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 691FA2 second address: 692009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FB14CFE7C1Fh 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 jnc 00007FB14CFE7C2Eh 0x00000018 nop 0x00000019 mov edi, dword ptr [ebp+122D29F2h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 xor ebx, 69CFD018h 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d pop eax 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 popad 0x00000031 pop eax 0x00000032 push eax 0x00000033 pushad 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 692009 second address: 692014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 69468A second address: 6946CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14CFE7C21h 0x00000009 popad 0x0000000a jmp 00007FB14CFE7C26h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jne 00007FB14CFE7C1Ch 0x00000018 jp 00007FB14CFE7C1Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 692234 second address: 692238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6956BA second address: 6956BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6956BE second address: 695754 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FB14C7341B8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 clc 0x00000025 pushad 0x00000026 add cx, F200h 0x0000002b jmp 00007FB14C7341BDh 0x00000030 popad 0x00000031 jmp 00007FB14C7341C0h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007FB14C7341B8h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 js 00007FB14C7341CEh 0x00000058 jo 00007FB14C7341C8h 0x0000005e jmp 00007FB14C7341C2h 0x00000063 push 00000000h 0x00000065 push eax 0x00000066 pushad 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 695754 second address: 695775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14CFE7C29h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6959A6 second address: 6959AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6968EC second address: 6968F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6969DA second address: 6969DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6969DE second address: 6969E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4665 second address: 6A466D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A47DA second address: 6A47E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A47E2 second address: 6A47F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007FB14C7341BCh 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A47F5 second address: 6A47FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4957 second address: 6A4971 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB14C7341C0h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4971 second address: 6A4975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4AEA second address: 6A4AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4AEE second address: 6A4B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FB14CFE7C1Ch 0x0000000c ja 00007FB14CFE7C16h 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4B00 second address: 6A4B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4B05 second address: 6A4B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB14CFE7C1Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4C90 second address: 6A4C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4C94 second address: 6A4C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4F88 second address: 6A4F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4F8C second address: 6A4F94 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A4F94 second address: 6A4F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB14C7341B6h 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A882B second address: 6A884E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB14CFE7C24h 0x0000000e jnp 00007FB14CFE7C16h 0x00000014 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A884E second address: 6A887F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BCh 0x00000007 jmp 00007FB14C7341C3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jnp 00007FB14C7341B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A887F second address: 6A889A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14CFE7C22h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A889A second address: 6A88B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14C7341C6h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6A88B4 second address: 6A88C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B328B second address: 6B3293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B3293 second address: 6B32CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB14CFE7C22h 0x0000000d jmp 00007FB14CFE7C25h 0x00000012 jg 00007FB14CFE7C16h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B140D second address: 6B142A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB14C7341BCh 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B174E second address: 6B1752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B1752 second address: 6B1758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B1758 second address: 6B1788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C25h 0x00000009 jmp 00007FB14CFE7C27h 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B1BD4 second address: 6B1C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14C7341C2h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007FB14C7341C1h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e popad 0x0000001f jbe 00007FB14C7341BCh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2915 second address: 6B2919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2919 second address: 6B2921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2921 second address: 6B2936 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB14CFE7C1Eh 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2936 second address: 6B2942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2942 second address: 6B2946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2946 second address: 6B2950 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB14C7341B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2950 second address: 6B2959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B2959 second address: 6B297B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a jmp 00007FB14C7341C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B297B second address: 6B2989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jns 00007FB14CFE7C16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6437C6 second address: 6437D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FB14C7341B6h 0x0000000c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6437D2 second address: 6437D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6437D6 second address: 6437E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B73A5 second address: 6B73A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B73A9 second address: 6B73E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 jmp 00007FB14C7341C9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jnc 00007FB14C7341B8h 0x00000015 js 00007FB14C7341BCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6B99E6 second address: 6B9A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007FB14CFE7C16h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007FB14CFE7C1Ch 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop ecx 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6BBD15 second address: 6BBD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6C13A3 second address: 6C13AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6CF948 second address: 6CF956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007FB14C7341CEh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6CF956 second address: 6CF95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6CFA9C second address: 6CFAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB14C7341B6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6DCFD1 second address: 6DCFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FB14CFE7C36h 0x0000000b jl 00007FB14CFE7C1Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB14CFE7C1Ch 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6DF683 second address: 6DF698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB14C7341BAh 0x00000009 jl 00007FB14C7341B6h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6DF698 second address: 6DF69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6DF69E second address: 6DF6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6E608A second address: 6E6090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6E6090 second address: 6E60AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB14C7341C1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6E60AB second address: 6E60AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6E60AF second address: 6E60B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F0BA3 second address: 6F0BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48D7 second address: 6F48E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48E1 second address: 6F48E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48E7 second address: 6F48EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48EB second address: 6F48F5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB14CFE7C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48F5 second address: 6F48FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F48FB second address: 6F4905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB14CFE7C16h 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 6F4905 second address: 6F4909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 636100 second address: 636107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 704687 second address: 704693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB14C7341B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 704693 second address: 7046AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007FB14CFE7C16h 0x00000011 popad 0x00000012 jo 00007FB14CFE7C18h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 7046AD second address: 7046C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BCh 0x00000007 push edx 0x00000008 jbe 00007FB14C7341B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 704353 second address: 70435B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70435B second address: 704379 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB14C7341B6h 0x00000008 jmp 00007FB14C7341C1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70A36D second address: 70A389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14CFE7C25h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70A679 second address: 70A67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70A67D second address: 70A687 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB14CFE7C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70A827 second address: 70A82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70A82B second address: 70A831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70AC9F second address: 70ACAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70B108 second address: 70B134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d ja 00007FB14CFE7C16h 0x00000013 jl 00007FB14CFE7C16h 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70B134 second address: 70B13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70B13A second address: 70B144 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB14CFE7C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70B144 second address: 70B14A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70B14A second address: 70B14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70F9AF second address: 70F9B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70FC22 second address: 70FC43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+1245627Ah], ecx 0x00000010 push 00000004h 0x00000012 movzx edx, cx 0x00000015 push FDBCF5BAh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70FC43 second address: 70FC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70FDE1 second address: 70FDF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70FDF2 second address: 70FDFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FB14C7341B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 70FDFD second address: 70FE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+12469355h], eax 0x00000010 jmp 00007FB14CFE7C24h 0x00000015 push dword ptr [ebp+122D24FFh] 0x0000001b mov edx, 1C71B221h 0x00000020 push C0F4E96Fh 0x00000025 push eax 0x00000026 pushad 0x00000027 jmp 00007FB14CFE7C28h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C08D9 second address: 30C093C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB14C7341BFh 0x00000009 xor cl, FFFFFFEEh 0x0000000c jmp 00007FB14C7341C9h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 call dword ptr [76D5188Ch] 0x0000001d mov edi, edi 0x0000001f push ebp 0x00000020 mov ebp, esp 0x00000022 push ecx 0x00000023 mov ecx, dword ptr [7FFE0004h] 0x00000029 mov dword ptr [ebp-04h], ecx 0x0000002c cmp ecx, 01000000h 0x00000032 jc 00007FB14C765C95h 0x00000038 mov eax, 7FFE0320h 0x0000003d mov eax, dword ptr [eax] 0x0000003f mul ecx 0x00000041 shrd eax, edx, 00000018h 0x00000045 mov esp, ebp 0x00000047 pop ebp 0x00000048 ret 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FB14C7341BAh 0x00000050 and al, 00000068h 0x00000053 jmp 00007FB14C7341BBh 0x00000058 popfd 0x00000059 mov esi, 4CF4765Fh 0x0000005e popad 0x0000005f pop ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C093C second address: 30C0940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0940 second address: 30C0957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0957 second address: 31518F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov edx, 4CDBA136h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ret 0x0000000e nop 0x0000000f xor esi, eax 0x00000011 lea eax, dword ptr [ebp-10h] 0x00000014 push eax 0x00000015 call 00007FB14FCDEFB4h 0x0000001a mov edi, edi 0x0000001c pushad 0x0000001d popad 0x0000001e push edx 0x0000001f jmp 00007FB14CFE7C1Ah 0x00000024 mov dword ptr [esp], ebp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FB14CFE7C1Eh 0x0000002e and esi, 38AE0408h 0x00000034 jmp 00007FB14CFE7C1Bh 0x00000039 popfd 0x0000003a mov si, 7A7Fh 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 jmp 00007FB14CFE7C22h 0x00000046 pop ebp 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FB14CFE7C1Dh 0x00000050 and cx, E5D6h 0x00000055 jmp 00007FB14CFE7C21h 0x0000005a popfd 0x0000005b pushfd 0x0000005c jmp 00007FB14CFE7C20h 0x00000061 and eax, 2E5223F8h 0x00000067 jmp 00007FB14CFE7C1Bh 0x0000006c popfd 0x0000006d popad 0x0000006e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31518F0 second address: 31518F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31518F6 second address: 31518FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130EA6 second address: 3130EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130EAC second address: 3130EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130EB0 second address: 3130EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31516FF second address: 3151725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB14CFE7C1Dh 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151725 second address: 315172B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315172B second address: 315172F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315172F second address: 3151751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edx 0x00000011 push ebx 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30B0D52 second address: 30B0D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30B0D56 second address: 30B0D5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30B0D5C second address: 30B0D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30B0D62 second address: 30B0D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0A37 second address: 30C0A46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0A46 second address: 30C0A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007FB14C7341BBh 0x0000000c add eax, 4CFE79FEh 0x00000012 jmp 00007FB14C7341C9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 call 00007FB14C7341C9h 0x00000028 pop eax 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0A9E second address: 30C0AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C1Dh 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0AAF second address: 30C0ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FB14C7341BDh 0x0000000f push dword ptr [ebp+04h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0ACC second address: 30C0B46 instructions: 0x00000000 rdtsc 0x00000002 call 00007FB14CFE7C29h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007FB14CFE7C21h 0x00000010 jmp 00007FB14CFE7C1Bh 0x00000015 popfd 0x00000016 popad 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e pushad 0x0000001f mov ecx, edx 0x00000021 mov esi, edi 0x00000023 popad 0x00000024 popad 0x00000025 push dword ptr [ebp+08h] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007FB14CFE7C21h 0x00000031 xor si, 1466h 0x00000036 jmp 00007FB14CFE7C21h 0x0000003b popfd 0x0000003c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31404BA second address: 31404D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov ch, dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB14C7341BAh 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31404D4 second address: 31404D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31404D8 second address: 31404DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 312070B second address: 3120746 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB14CFE7C27h 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e inc eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB14CFE7C27h 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120746 second address: 31207A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx eax, bx 0x00000009 popad 0x0000000a lock xadd dword ptr [ecx], eax 0x0000000e jmp 00007FB14C7341C1h 0x00000013 inc eax 0x00000014 pushad 0x00000015 mov esi, 4DC84FD3h 0x0000001a mov di, si 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FB14C7341C7h 0x00000027 call 00007FB14C7341C8h 0x0000002c pop ecx 0x0000002d popad 0x0000002e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31207A5 second address: 31207AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31207AB second address: 31207AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150019 second address: 3150037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB14CFE7C1Eh 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150037 second address: 3150046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150046 second address: 3150095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B951h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB14CFE7C28h 0x00000014 jmp 00007FB14CFE7C25h 0x00000019 popfd 0x0000001a call 00007FB14CFE7C20h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150095 second address: 315013B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 movzx eax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FB14C7341C5h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 jmp 00007FB14C7341BCh 0x0000001a call 00007FB14C7341C2h 0x0000001f pushfd 0x00000020 jmp 00007FB14C7341C2h 0x00000025 jmp 00007FB14C7341C5h 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov eax, dword ptr fs:[00000030h] 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FB14C7341C8h 0x0000003c sbb eax, 5ABB0CB8h 0x00000042 jmp 00007FB14C7341BBh 0x00000047 popfd 0x00000048 movzx eax, bx 0x0000004b popad 0x0000004c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315013B second address: 3150162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB14CFE7C1Ah 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150162 second address: 3150168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150168 second address: 31501C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FB14CFE7C20h 0x00000011 mov dword ptr [esp], ebx 0x00000014 pushad 0x00000015 jmp 00007FB14CFE7C1Eh 0x0000001a pushfd 0x0000001b jmp 00007FB14CFE7C22h 0x00000020 xor al, 00000008h 0x00000023 jmp 00007FB14CFE7C1Bh 0x00000028 popfd 0x00000029 popad 0x0000002a mov ebx, dword ptr [eax+10h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31501C2 second address: 31501C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31501C6 second address: 31501CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31501CC second address: 3150213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, di 0x00000010 pushfd 0x00000011 jmp 00007FB14C7341C9h 0x00000016 adc cx, 9F86h 0x0000001b jmp 00007FB14C7341C1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150213 second address: 3150237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB14CFE7C1Ch 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150237 second address: 3150254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 204BC722h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB14C7341BBh 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150254 second address: 3150258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150258 second address: 315025E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315025E second address: 3150282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [76D806ECh] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150282 second address: 31502BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB14C7341C0h 0x00000009 xor ecx, 2FCFF948h 0x0000000f jmp 00007FB14C7341BBh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test esi, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB14C7341BBh 0x00000023 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31502BC second address: 31502D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C24h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31502D4 second address: 31502EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB14C73504Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB14C7341BAh 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31502EE second address: 3150348 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ax, 519Bh 0x0000000f call 00007FB14CFE7C20h 0x00000014 mov si, 1C81h 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c mov di, ax 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FB14CFE7C24h 0x00000026 sbb eax, 065B22C8h 0x0000002c jmp 00007FB14CFE7C1Bh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150348 second address: 3150358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop eax 0x0000000c mov ax, bx 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150358 second address: 315037E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [76D50B60h] 0x0000000f mov eax, 7768E5E0h 0x00000014 ret 0x00000015 pushad 0x00000016 mov edi, ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315037E second address: 31503F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB14C7341C6h 0x0000000a or ax, 32B8h 0x0000000f jmp 00007FB14C7341BBh 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 push 00000044h 0x00000019 jmp 00007FB14C7341C6h 0x0000001e pop edi 0x0000001f pushad 0x00000020 jmp 00007FB14C7341BEh 0x00000025 popad 0x00000026 push esi 0x00000027 jmp 00007FB14C7341BCh 0x0000002c mov dword ptr [esp], edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov edi, 2FA69D90h 0x00000037 mov ecx, ebx 0x00000039 popad 0x0000003a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31503F0 second address: 3150421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB14CFE7C27h 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150421 second address: 3150426 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504A8 second address: 31504AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504AE second address: 31504B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504B2 second address: 31504C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504C2 second address: 31504C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504C6 second address: 31504CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504CA second address: 31504D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504D0 second address: 31504FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 45B8h 0x00000007 mov ah, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FB1C0B96DE2h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007FB14CFE7C25h 0x0000001a pop eax 0x0000001b mov bh, 05h 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31504FE second address: 31505AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6BC8495Ch 0x00000008 mov ch, dl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d sub eax, eax 0x0000000f pushad 0x00000010 mov ax, di 0x00000013 pushfd 0x00000014 jmp 00007FB14C7341BFh 0x00000019 xor al, FFFFFF8Eh 0x0000001c jmp 00007FB14C7341C9h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esi], edi 0x00000025 pushad 0x00000026 mov dl, ah 0x00000028 mov bx, B21Ch 0x0000002c popad 0x0000002d mov dword ptr [esi+04h], eax 0x00000030 pushad 0x00000031 push ebx 0x00000032 mov bl, ah 0x00000034 pop ebx 0x00000035 pushfd 0x00000036 jmp 00007FB14C7341C6h 0x0000003b sbb cx, F668h 0x00000040 jmp 00007FB14C7341BBh 0x00000045 popfd 0x00000046 popad 0x00000047 mov dword ptr [esi+08h], eax 0x0000004a jmp 00007FB14C7341C6h 0x0000004f mov dword ptr [esi+0Ch], eax 0x00000052 jmp 00007FB14C7341C0h 0x00000057 mov eax, dword ptr [ebx+4Ch] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31505AF second address: 31505B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31505B3 second address: 31505B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31505B9 second address: 315060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14CFE7C22h 0x00000008 pushfd 0x00000009 jmp 00007FB14CFE7C22h 0x0000000e xor ax, 7D88h 0x00000013 jmp 00007FB14CFE7C1Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esi+10h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB14CFE7C25h 0x00000026 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315060F second address: 315062D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+50h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB14C7341BCh 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315062D second address: 3150633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150633 second address: 3150710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 mov ecx, ebx 0x00000012 popad 0x00000013 mov eax, dword ptr [ebx+54h] 0x00000016 jmp 00007FB14C7341C5h 0x0000001b mov dword ptr [esi+18h], eax 0x0000001e pushad 0x0000001f movzx ecx, dx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FB14C7341BFh 0x00000029 and ecx, 00D94A9Eh 0x0000002f jmp 00007FB14C7341C9h 0x00000034 popfd 0x00000035 mov ch, EEh 0x00000037 popad 0x00000038 popad 0x00000039 mov eax, dword ptr [ebx+58h] 0x0000003c pushad 0x0000003d movsx ebx, cx 0x00000040 push ecx 0x00000041 pushfd 0x00000042 jmp 00007FB14C7341C1h 0x00000047 adc ax, CB86h 0x0000004c jmp 00007FB14C7341C1h 0x00000051 popfd 0x00000052 pop eax 0x00000053 popad 0x00000054 mov dword ptr [esi+1Ch], eax 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushfd 0x0000005b jmp 00007FB14C7341C3h 0x00000060 or ecx, 0B074ABEh 0x00000066 jmp 00007FB14C7341C9h 0x0000006b popfd 0x0000006c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150710 second address: 3150738 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FB14CFE7C1Ch 0x0000000b pop eax 0x0000000c popad 0x0000000d mov eax, dword ptr [ebx+5Ch] 0x00000010 pushad 0x00000011 mov di, ACCEh 0x00000015 mov ecx, edi 0x00000017 popad 0x00000018 mov dword ptr [esi+20h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150738 second address: 315073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315073C second address: 3150742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150742 second address: 3150760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+60h] 0x0000000b jmp 00007FB14C7341BAh 0x00000010 mov dword ptr [esi+24h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150760 second address: 315077D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315077D second address: 31507D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB14C7341C3h 0x00000015 xor cx, B59Eh 0x0000001a jmp 00007FB14C7341C9h 0x0000001f popfd 0x00000020 mov cx, 1D67h 0x00000024 popad 0x00000025 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31507D0 second address: 31507EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C28h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31507EC second address: 3150833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+28h], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB14C7341C4h 0x00000015 and cx, F128h 0x0000001a jmp 00007FB14C7341BBh 0x0000001f popfd 0x00000020 push esi 0x00000021 mov bl, EFh 0x00000023 pop eax 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+68h] 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150833 second address: 3150874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 099Ch 0x00000008 popad 0x00000009 pushfd 0x0000000a jmp 00007FB14CFE7C25h 0x0000000f sbb cx, BFF6h 0x00000014 jmp 00007FB14CFE7C21h 0x00000019 popfd 0x0000001a popad 0x0000001b mov dword ptr [esi+2Ch], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movzx eax, bx 0x00000024 popad 0x00000025 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150874 second address: 315087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315087A second address: 315087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315087E second address: 3150899 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+6Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150899 second address: 315089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315089E second address: 31508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341C5h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31508B7 second address: 31508DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+30h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, DFEEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31508DB second address: 31508E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31508E0 second address: 31508F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C21h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31508F5 second address: 3150922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+00000088h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB14C7341BDh 0x00000019 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150922 second address: 3150946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5551CA62h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+32h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FB14CFE7C1Eh 0x00000017 movzx esi, bx 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150946 second address: 315094C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315094C second address: 3150950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150950 second address: 315099B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+0000008Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB14C7341C0h 0x00000015 add ax, 8758h 0x0000001a jmp 00007FB14C7341BBh 0x0000001f popfd 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 mov dword ptr [esi+34h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB14C7341C1h 0x0000002e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315099B second address: 31509CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c jmp 00007FB14CFE7C1Eh 0x00000011 mov dword ptr [esi+38h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31509CA second address: 31509CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31509CE second address: 31509D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31509D4 second address: 31509E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341BBh 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31509E3 second address: 3150AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+1Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB14CFE7C1Bh 0x00000012 sbb esi, 04502D8Eh 0x00000018 jmp 00007FB14CFE7C29h 0x0000001d popfd 0x0000001e push ecx 0x0000001f pop esi 0x00000020 popad 0x00000021 mov dword ptr [esi+3Ch], eax 0x00000024 jmp 00007FB14CFE7C29h 0x00000029 mov eax, dword ptr [ebx+20h] 0x0000002c jmp 00007FB14CFE7C1Eh 0x00000031 mov dword ptr [esi+40h], eax 0x00000034 pushad 0x00000035 pushad 0x00000036 mov ecx, 20046703h 0x0000003b pushfd 0x0000003c jmp 00007FB14CFE7C28h 0x00000041 and ch, FFFFFFC8h 0x00000044 jmp 00007FB14CFE7C1Bh 0x00000049 popfd 0x0000004a popad 0x0000004b pushfd 0x0000004c jmp 00007FB14CFE7C28h 0x00000051 sub cx, 9728h 0x00000056 jmp 00007FB14CFE7C1Bh 0x0000005b popfd 0x0000005c popad 0x0000005d lea eax, dword ptr [ebx+00000080h] 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150AB5 second address: 3150AD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150AD0 second address: 3150AD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150AD5 second address: 3150B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007FB14C7341C1h 0x00000010 nop 0x00000011 jmp 00007FB14C7341BEh 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150B06 second address: 3150B25 instructions: 0x00000000 rdtsc 0x00000002 mov ch, bl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 mov bl, 3Eh 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB14CFE7C1Fh 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150B25 second address: 3150B42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150B42 second address: 3150BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d mov cl, 3Ah 0x0000000f pushfd 0x00000010 jmp 00007FB14CFE7C29h 0x00000015 adc ch, 00000026h 0x00000018 jmp 00007FB14CFE7C21h 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007FB14CFE7C1Ch 0x00000026 movzx eax, di 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push edx 0x0000002f pop ecx 0x00000030 jmp 00007FB14CFE7C25h 0x00000035 popad 0x00000036 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150BBB second address: 3150BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150BC1 second address: 3150BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150BCE second address: 3150BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150BF5 second address: 3150CED instructions: 0x00000000 rdtsc 0x00000002 call 00007FB14CFE7C20h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov edi, eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FB14CFE7C1Ah 0x00000015 jmp 00007FB14CFE7C25h 0x0000001a popfd 0x0000001b pop esi 0x0000001c push edi 0x0000001d pushfd 0x0000001e jmp 00007FB14CFE7C1Ch 0x00000023 and cx, DC78h 0x00000028 jmp 00007FB14CFE7C1Bh 0x0000002d popfd 0x0000002e pop eax 0x0000002f popad 0x00000030 test edi, edi 0x00000032 jmp 00007FB14CFE7C1Fh 0x00000037 js 00007FB1C0B96676h 0x0000003d jmp 00007FB14CFE7C26h 0x00000042 mov eax, dword ptr [ebp-0Ch] 0x00000045 jmp 00007FB14CFE7C20h 0x0000004a mov dword ptr [esi+04h], eax 0x0000004d pushad 0x0000004e call 00007FB14CFE7C1Eh 0x00000053 call 00007FB14CFE7C22h 0x00000058 pop eax 0x00000059 pop edi 0x0000005a mov si, EA57h 0x0000005e popad 0x0000005f lea eax, dword ptr [ebx+78h] 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 call 00007FB14CFE7C1Fh 0x0000006a pop eax 0x0000006b jmp 00007FB14CFE7C29h 0x00000070 popad 0x00000071 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150CED second address: 3150D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB14C7341C7h 0x00000009 sbb cx, 366Eh 0x0000000e jmp 00007FB14C7341C9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FB14C7341C0h 0x0000001a and ecx, 6AC151E8h 0x00000020 jmp 00007FB14C7341BBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push 00000001h 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FB14C7341C4h 0x00000032 or ah, 00000048h 0x00000035 jmp 00007FB14C7341BBh 0x0000003a popfd 0x0000003b popad 0x0000003c push esi 0x0000003d pushad 0x0000003e push esi 0x0000003f mov edi, 01ADD042h 0x00000044 pop edi 0x00000045 pushad 0x00000046 mov edx, eax 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150D83 second address: 3150DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB14CFE7C28h 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150DA8 second address: 3150DB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150DB7 second address: 3150DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150DBD second address: 3150E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-08h] 0x0000000b pushad 0x0000000c mov di, F250h 0x00000010 pushfd 0x00000011 jmp 00007FB14C7341C9h 0x00000016 sub esi, 387442D6h 0x0000001c jmp 00007FB14C7341C1h 0x00000021 popfd 0x00000022 popad 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E07 second address: 3150E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E0B second address: 3150E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E1E second address: 3150E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E24 second address: 3150E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E73 second address: 3150E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E79 second address: 3150E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E7D second address: 3150E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150E81 second address: 3150EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b call 00007FB14C7341C5h 0x00000010 mov ecx, 0E591DC7h 0x00000015 pop eax 0x00000016 mov si, dx 0x00000019 popad 0x0000001a test edi, edi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov edi, 7D7E49B6h 0x00000024 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150EB5 second address: 3150EDB instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, 1AD215AFh 0x0000000c popad 0x0000000d js 00007FB1C0B9640Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB14CFE7C21h 0x0000001a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150EDB second address: 3150F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB14C7341BCh 0x00000013 or ax, E738h 0x00000018 jmp 00007FB14C7341BBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FB14C7341C6h 0x00000026 add esi, 6E656198h 0x0000002c jmp 00007FB14C7341BBh 0x00000031 popfd 0x00000032 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3150F3D second address: 3150F9B instructions: 0x00000000 rdtsc 0x00000002 call 00007FB14CFE7C28h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e jmp 00007FB14CFE7C21h 0x00000013 lea eax, dword ptr [ebx+70h] 0x00000016 jmp 00007FB14CFE7C1Eh 0x0000001b push 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB14CFE7C27h 0x00000024 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315103C second address: 3151040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151040 second address: 3151044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151044 second address: 315104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315104A second address: 3151082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b pushad 0x0000000c mov bh, D8h 0x0000000e popad 0x0000000f test edi, edi 0x00000011 jmp 00007FB14CFE7C1Ah 0x00000016 js 00007FB1C0B9625Ah 0x0000001c pushad 0x0000001d mov di, cx 0x00000020 mov ax, 8699h 0x00000024 popad 0x00000025 mov eax, dword ptr [ebp-14h] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151082 second address: 3151086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151086 second address: 3151117 instructions: 0x00000000 rdtsc 0x00000002 call 00007FB14CFE7C1Eh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007FB14CFE7C1Bh 0x00000010 or eax, 58AEA2BEh 0x00000016 jmp 00007FB14CFE7C29h 0x0000001b popfd 0x0000001c popad 0x0000001d mov ecx, esi 0x0000001f pushad 0x00000020 mov di, cx 0x00000023 mov si, D8FFh 0x00000027 popad 0x00000028 mov dword ptr [esi+0Ch], eax 0x0000002b pushad 0x0000002c movzx esi, di 0x0000002f movsx edx, ax 0x00000032 popad 0x00000033 mov edx, 76D806ECh 0x00000038 pushad 0x00000039 jmp 00007FB14CFE7C21h 0x0000003e popad 0x0000003f sub eax, eax 0x00000041 jmp 00007FB14CFE7C27h 0x00000046 lock cmpxchg dword ptr [edx], ecx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151117 second address: 315111B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315111B second address: 315111F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315111F second address: 3151125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151125 second address: 315112B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315112B second address: 315112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 315112F second address: 3151133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151133 second address: 31511D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007FB14C7341C0h 0x0000000e test eax, eax 0x00000010 pushad 0x00000011 jmp 00007FB14C7341BEh 0x00000016 popad 0x00000017 jne 00007FB1C02E2734h 0x0000001d jmp 00007FB14C7341C7h 0x00000022 mov edx, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 mov al, CBh 0x00000028 mov di, 2F14h 0x0000002c popad 0x0000002d mov eax, dword ptr [esi] 0x0000002f jmp 00007FB14C7341C3h 0x00000034 mov dword ptr [edx], eax 0x00000036 pushad 0x00000037 mov si, EB6Bh 0x0000003b pushad 0x0000003c mov ch, bh 0x0000003e popad 0x0000003f popad 0x00000040 mov eax, dword ptr [esi+04h] 0x00000043 pushad 0x00000044 movzx eax, di 0x00000047 push eax 0x00000048 push edx 0x00000049 pushfd 0x0000004a jmp 00007FB14C7341BDh 0x0000004f sbb eax, 5A3F67E6h 0x00000055 jmp 00007FB14C7341C1h 0x0000005a popfd 0x0000005b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31511D6 second address: 3151211 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB14CFE7C20h 0x00000008 sub ecx, 4948BB88h 0x0000000e jmp 00007FB14CFE7C1Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [edx+04h], eax 0x0000001a pushad 0x0000001b movzx eax, di 0x0000001e mov edi, 0BC1E664h 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+08h] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151211 second address: 3151270 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB14C7341C2h 0x00000008 sub al, 00000018h 0x0000000b jmp 00007FB14C7341BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FB14C7341C8h 0x00000019 and cx, 3B78h 0x0000001e jmp 00007FB14C7341BBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [edx+08h], eax 0x00000028 pushad 0x00000029 mov di, ax 0x0000002c push eax 0x0000002d push edx 0x0000002e mov esi, 538728FDh 0x00000033 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151270 second address: 31512AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esi+0Ch] 0x0000000d jmp 00007FB14CFE7C20h 0x00000012 mov dword ptr [edx+0Ch], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB14CFE7C27h 0x0000001c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31512AE second address: 3151327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB14C7341C3h 0x00000015 add si, F35Eh 0x0000001a jmp 00007FB14C7341C9h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FB14C7341C0h 0x00000026 and cx, 1F58h 0x0000002b jmp 00007FB14C7341BBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151327 second address: 31513DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 call 00007FB14CFE7C20h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [edx+10h], eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB14CFE7C27h 0x00000019 add si, 137Eh 0x0000001e jmp 00007FB14CFE7C29h 0x00000023 popfd 0x00000024 mov cx, D9C7h 0x00000028 popad 0x00000029 mov eax, dword ptr [esi+14h] 0x0000002c jmp 00007FB14CFE7C1Ah 0x00000031 mov dword ptr [edx+14h], eax 0x00000034 pushad 0x00000035 mov eax, ebx 0x00000037 popad 0x00000038 mov eax, dword ptr [esi+18h] 0x0000003b pushad 0x0000003c pushad 0x0000003d mov cx, dx 0x00000040 mov eax, edx 0x00000042 popad 0x00000043 mov cx, bx 0x00000046 popad 0x00000047 mov dword ptr [edx+18h], eax 0x0000004a jmp 00007FB14CFE7C25h 0x0000004f mov eax, dword ptr [esi+1Ch] 0x00000052 jmp 00007FB14CFE7C1Eh 0x00000057 mov dword ptr [edx+1Ch], eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FB14CFE7C1Ah 0x00000063 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31513DE second address: 31513E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31513E4 second address: 3151436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c jmp 00007FB14CFE7C20h 0x00000011 mov dword ptr [edx+20h], eax 0x00000014 pushad 0x00000015 mov esi, 5D65029Dh 0x0000001a mov di, ax 0x0000001d popad 0x0000001e mov eax, dword ptr [esi+24h] 0x00000021 jmp 00007FB14CFE7C24h 0x00000026 mov dword ptr [edx+24h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151436 second address: 3151453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3151453 second address: 31514C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c pushad 0x0000000d call 00007FB14CFE7C1Ch 0x00000012 pushfd 0x00000013 jmp 00007FB14CFE7C22h 0x00000018 adc cx, 7718h 0x0000001d jmp 00007FB14CFE7C1Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 mov di, 105Ch 0x00000028 popad 0x00000029 mov dword ptr [edx+28h], eax 0x0000002c pushad 0x0000002d movsx edi, cx 0x00000030 mov si, C719h 0x00000034 popad 0x00000035 mov ecx, dword ptr [esi+2Ch] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB14CFE7C1Eh 0x00000041 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31514C3 second address: 31514C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31514C9 second address: 31515BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c pushad 0x0000000d push esi 0x0000000e movsx ebx, si 0x00000011 pop ecx 0x00000012 pushfd 0x00000013 jmp 00007FB14CFE7C1Fh 0x00000018 and ah, FFFFFF9Eh 0x0000001b jmp 00007FB14CFE7C29h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ax, word ptr [esi+30h] 0x00000026 jmp 00007FB14CFE7C1Eh 0x0000002b mov word ptr [edx+30h], ax 0x0000002f jmp 00007FB14CFE7C20h 0x00000034 mov ax, word ptr [esi+32h] 0x00000038 jmp 00007FB14CFE7C20h 0x0000003d mov word ptr [edx+32h], ax 0x00000041 jmp 00007FB14CFE7C20h 0x00000046 mov eax, dword ptr [esi+34h] 0x00000049 pushad 0x0000004a mov eax, 483A5A7Dh 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007FB14CFE7C28h 0x00000056 xor si, B488h 0x0000005b jmp 00007FB14CFE7C1Bh 0x00000060 popfd 0x00000061 mov esi, 51B714FFh 0x00000066 popad 0x00000067 popad 0x00000068 mov dword ptr [edx+34h], eax 0x0000006b jmp 00007FB14CFE7C22h 0x00000070 test ecx, 00000700h 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 mov ah, FEh 0x0000007b popad 0x0000007c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31515BC second address: 31515D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341C1h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31515D1 second address: 31515D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31406F8 second address: 314074B instructions: 0x00000000 rdtsc 0x00000002 mov cl, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edx, ax 0x00000009 popad 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB14C7341C0h 0x00000012 jmp 00007FB14C7341C5h 0x00000017 popfd 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FB14C7341BEh 0x00000020 add ah, FFFFFFB8h 0x00000023 jmp 00007FB14C7341BBh 0x00000028 popfd 0x00000029 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140C05 second address: 3140C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140A1A second address: 3140A39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB14C7341C2h 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140A39 second address: 3140A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31403D8 second address: 31403DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31403DC second address: 31403E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31403E2 second address: 31403E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31403E8 second address: 314040B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB14CFE7C28h 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 314040B second address: 314041D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341BEh 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 314041D second address: 3140444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB14CFE7C29h 0x00000013 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140444 second address: 3140448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140448 second address: 314044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 314044E second address: 3140465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341C3h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 314031E second address: 3140324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3140324 second address: 3140328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31401B2 second address: 31401B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31401B8 second address: 31401BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110717 second address: 3110725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110725 second address: 3110767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, DD44h 0x00000007 mov dl, 89h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FB14C7341C4h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov cl, 7Ch 0x00000018 call 00007FB14C7341C9h 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110767 second address: 3110792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB14CFE7C20h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov bl, ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31207D1 second address: 312081A instructions: 0x00000000 rdtsc 0x00000002 mov esi, 0397AA71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c mov esi, 60F62BCFh 0x00000011 popad 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FB14C7341C2h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007FB14C7341BAh 0x00000025 sbb cx, 01A8h 0x0000002a jmp 00007FB14C7341BBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 312081A second address: 3120820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120820 second address: 3120824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120824 second address: 3120849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, 7Dh 0x00000011 call 00007FB14CFE7C1Ch 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120849 second address: 3120882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB14C7341C0h 0x00000010 mov ecx, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 pushad 0x00000015 movzx eax, bx 0x00000018 movsx edi, cx 0x0000001b popad 0x0000001c pushad 0x0000001d mov si, 1D47h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120882 second address: 31208C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 or eax, FFFFFFFFh 0x00000009 jmp 00007FB14CFE7C28h 0x0000000e lock xadd dword ptr [ecx], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FB14CFE7C1Dh 0x0000001a jmp 00007FB14CFE7C20h 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130468 second address: 313046C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 313046C second address: 3130470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130470 second address: 3130476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130476 second address: 31304B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB14CFE7C1Eh 0x0000000f push eax 0x00000010 jmp 00007FB14CFE7C1Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov ebx, eax 0x00000019 mov ch, 5Fh 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31304B1 second address: 31304B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31304B5 second address: 31304B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31304B9 second address: 31304BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31304BF second address: 313056A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB14CFE7C1Dh 0x00000008 mov ecx, 007695B7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 and esp, FFFFFFF8h 0x00000013 pushad 0x00000014 mov eax, 60CC84AFh 0x00000019 mov bx, si 0x0000001c popad 0x0000001d xchg eax, ecx 0x0000001e jmp 00007FB14CFE7C1Eh 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FB14CFE7C21h 0x0000002b or cx, E0C6h 0x00000030 jmp 00007FB14CFE7C21h 0x00000035 popfd 0x00000036 mov dx, ax 0x00000039 popad 0x0000003a xchg eax, ecx 0x0000003b jmp 00007FB14CFE7C1Ah 0x00000040 xchg eax, ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 call 00007FB14CFE7C1Dh 0x00000049 pop esi 0x0000004a pushfd 0x0000004b jmp 00007FB14CFE7C21h 0x00000050 sbb ecx, 5D01C386h 0x00000056 jmp 00007FB14CFE7C21h 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 313056A second address: 31305C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB14C7341C7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FB14C7341C9h 0x0000000f sbb ch, 00000046h 0x00000012 jmp 00007FB14C7341C1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB14C7341BCh 0x00000023 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31305C6 second address: 31305CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31305CC second address: 31305D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31305D0 second address: 31305E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB14CFE7C1Bh 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31305E8 second address: 31305EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31305EE second address: 3130651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007FB14CFE7C20h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FB14CFE7C1Dh 0x0000001b jmp 00007FB14CFE7C1Bh 0x00000020 popfd 0x00000021 call 00007FB14CFE7C28h 0x00000026 pop ecx 0x00000027 popad 0x00000028 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130651 second address: 3130657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130657 second address: 313065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 313065B second address: 313066A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 313066A second address: 313066E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 313066E second address: 3130674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130674 second address: 3130690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C28h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130690 second address: 3130694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130694 second address: 31306CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FB14CFE7C27h 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB14CFE7C25h 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31306CE second address: 31306EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31306EA second address: 31306EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31306EE second address: 3130701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130701 second address: 3130719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C24h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3130719 second address: 3130809 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB14C7341BEh 0x0000000e xchg eax, edi 0x0000000f jmp 00007FB14C7341C0h 0x00000014 test esi, esi 0x00000016 jmp 00007FB14C7341C0h 0x0000001b je 00007FB1C0D82078h 0x00000021 pushad 0x00000022 mov ecx, 12BE48FDh 0x00000027 mov bh, al 0x00000029 popad 0x0000002a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000031 pushad 0x00000032 mov ax, dx 0x00000035 pushfd 0x00000036 jmp 00007FB14C7341C7h 0x0000003b add si, 189Eh 0x00000040 jmp 00007FB14C7341C9h 0x00000045 popfd 0x00000046 popad 0x00000047 je 00007FB1C0D8203Ch 0x0000004d jmp 00007FB14C7341BEh 0x00000052 mov edx, dword ptr [esi+44h] 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 pushfd 0x00000059 jmp 00007FB14C7341BDh 0x0000005e xor ecx, 7B53D986h 0x00000064 jmp 00007FB14C7341C1h 0x00000069 popfd 0x0000006a pushfd 0x0000006b jmp 00007FB14C7341C0h 0x00000070 xor esi, 0203FC28h 0x00000076 jmp 00007FB14C7341BBh 0x0000007b popfd 0x0000007c popad 0x0000007d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0BF9 second address: 30C0BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0BFF second address: 30C0C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0C03 second address: 30C0C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007FB14CFE7C28h 0x00000011 pop esi 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0C28 second address: 30C0C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 mov cx, DA83h 0x00000009 mov edi, eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FB14C7341C5h 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FB14C7341BEh 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0C62 second address: 30C0C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0C66 second address: 30C0C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30C0C6A second address: 30C0C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B62 second address: 3120B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B66 second address: 3120B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B6A second address: 3120B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B70 second address: 3120B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B76 second address: 3120B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120B7A second address: 3120C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c pushad 0x0000000d call 00007FB14CFE7C1Bh 0x00000012 pop esi 0x00000013 call 00007FB14CFE7C29h 0x00000018 pop esi 0x00000019 popad 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FB14CFE7C28h 0x00000026 and ch, 00000008h 0x00000029 jmp 00007FB14CFE7C1Bh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007FB14CFE7C28h 0x00000035 jmp 00007FB14CFE7C25h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120C0C second address: 3120C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120C12 second address: 3120C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120D0B second address: 3120D11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120D11 second address: 3120D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120D15 second address: 3120D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3120D19 second address: 3120B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 jmp 00007FB14CFE7C27h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 ret 0x00000013 add esi, 18h 0x00000016 cmp esi, 004BA398h 0x0000001c pop ecx 0x0000001d jl 00007FB14CFE7C00h 0x0000001f push esi 0x00000020 call 00007FB14CFE7CD3h 0x00000025 push dword ptr [esp+04h] 0x00000029 call 00007FB14FCB7A9Eh 0x0000002e mov edi, edi 0x00000030 pushad 0x00000031 mov si, 6D7Dh 0x00000035 mov edx, esi 0x00000037 popad 0x00000038 xchg eax, ebp 0x00000039 pushad 0x0000003a movzx ecx, bx 0x0000003d pushad 0x0000003e mov edi, 4B8F9670h 0x00000043 pushfd 0x00000044 jmp 00007FB14CFE7C29h 0x00000049 and ax, 5FF6h 0x0000004e jmp 00007FB14CFE7C21h 0x00000053 popfd 0x00000054 popad 0x00000055 popad 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31A0158 second address: 31A015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31A015C second address: 31A0162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31A0162 second address: 31A019A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 movzx eax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esp 0x0000000c jmp 00007FB14C7341C0h 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB14C7341C7h 0x0000001b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31A019A second address: 31A01A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31A01A0 second address: 31A01A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0843 second address: 31B0851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov al, 4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0851 second address: 31B0856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0856 second address: 31B085C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190149 second address: 319014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 319014D second address: 319016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 319016A second address: 31901C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e call 00007FB14C7341C9h 0x00000013 call 00007FB14C7341C0h 0x00000018 pop eax 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB14C7341C3h 0x00000025 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31901C8 second address: 31901CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31901CE second address: 31901EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31901EE second address: 31901F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B06EB second address: 31B06EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B06EF second address: 31B070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B070B second address: 31B0710 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0710 second address: 31B0716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0716 second address: 31B074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FB14C7341C3h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB14C7341C5h 0x00000016 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B074A second address: 31B0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0750 second address: 31B0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0754 second address: 31B0758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0758 second address: 31B0768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a movsx edi, cx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 317084A second address: 3170862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C24h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3170862 second address: 317090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ax, E12Bh 0x00000011 pushfd 0x00000012 jmp 00007FB14C7341C0h 0x00000017 add eax, 4A9604B8h 0x0000001d jmp 00007FB14C7341BBh 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007FB14C7341C2h 0x0000002d and si, 3F18h 0x00000032 jmp 00007FB14C7341BBh 0x00000037 popfd 0x00000038 pop esi 0x00000039 mov ax, di 0x0000003c popad 0x0000003d xchg eax, ebp 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FB14C7341C1h 0x00000045 sub cl, FFFFFFB6h 0x00000048 jmp 00007FB14C7341C1h 0x0000004d popfd 0x0000004e jmp 00007FB14C7341C0h 0x00000053 popad 0x00000054 mov ebp, esp 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov cx, 8A8Fh 0x0000005d popad 0x0000005e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190DD7 second address: 3190DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0BC4 second address: 31B0BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0BD3 second address: 31B0BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C24h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0BEB second address: 31B0BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0BEF second address: 31B0BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0BFE second address: 31B0C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C11 second address: 31B0C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C17 second address: 31B0C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C1B second address: 31B0C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C2A second address: 31B0C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C2E second address: 31B0C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C32 second address: 31B0C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C38 second address: 31B0C4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C1Eh 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C4A second address: 31B0C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C4E second address: 31B0C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB14CFE7C1Ah 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C64 second address: 31B0C7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp+08h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C7D second address: 31B0C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C81 second address: 31B0C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0C87 second address: 31B0CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FB14CFE7C20h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 mov di, si 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0B07 second address: 31B0B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB14C7341C5h 0x0000000e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0B25 second address: 31B0B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f pushfd 0x00000010 jmp 00007FB14CFE7C27h 0x00000015 xor si, 498Eh 0x0000001a jmp 00007FB14CFE7C29h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov al, dh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0B75 second address: 31B0B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B097F second address: 31B0983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0983 second address: 31B0987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B0987 second address: 31B098D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31B098D second address: 31B09CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB14C7341C0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB14C7341C7h 0x00000018 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E21 second address: 30F0E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E47 second address: 30F0E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E4B second address: 30F0E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E51 second address: 30F0E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14C7341C1h 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E66 second address: 30F0E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB14CFE7C1Fh 0x00000013 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E83 second address: 30F0E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E87 second address: 30F0E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 30F0E8D second address: 30F0EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB14C7341C2h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31905A2 second address: 31905D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB14CFE7C28h 0x00000013 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31905D4 second address: 31905D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31905D8 second address: 31905DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31905DE second address: 3190601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB14C7341BEh 0x00000011 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190601 second address: 3190631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FB14CFE7C24h 0x00000010 mov ecx, 35553451h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 mov si, bx 0x0000001b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190631 second address: 31906CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB14C7341BCh 0x00000013 add esi, 150F4F08h 0x00000019 jmp 00007FB14C7341BBh 0x0000001e popfd 0x0000001f jmp 00007FB14C7341C8h 0x00000024 popad 0x00000025 push dword ptr [ebp+0Ch] 0x00000028 pushad 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FB14C7341BCh 0x00000030 add cx, 8498h 0x00000035 jmp 00007FB14C7341BBh 0x0000003a popfd 0x0000003b jmp 00007FB14C7341C8h 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31906CA second address: 31906EB instructions: 0x00000000 rdtsc 0x00000002 mov ax, 880Dh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB14CFE7C21h 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31906EB second address: 3190729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FB14C7341B9h 0x0000000e jmp 00007FB14C7341BEh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB14C7341BDh 0x0000001d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190729 second address: 319072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 319072D second address: 3190733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3190733 second address: 319077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FB14CFE7C1Bh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB14CFE7C22h 0x0000001d or cx, B878h 0x00000022 jmp 00007FB14CFE7C1Bh 0x00000027 popfd 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 319077E second address: 31907BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB14C7341C5h 0x00000008 pop eax 0x00000009 mov eax, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB14C7341C9h 0x00000019 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31907BB second address: 31907CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB14CFE7C1Ch 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 31907CB second address: 31907D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110AE9 second address: 3110AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110AED second address: 3110AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110AF3 second address: 3110B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 6AF171E3h 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FB14CFE7C22h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB14CFE7C1Dh 0x0000001e rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110B26 second address: 3110B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110B3B second address: 3110B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB14CFE7C27h 0x00000009 or si, 48CEh 0x0000000e jmp 00007FB14CFE7C29h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FB14CFE7C20h 0x0000001a and al, 00000048h 0x0000001d jmp 00007FB14CFE7C1Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110B9F second address: 3110BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BA3 second address: 3110BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BA9 second address: 3110BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BAF second address: 3110BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BB3 second address: 3110BE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14C7341C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB14C7341C7h 0x00000014 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BE8 second address: 3110BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110BEE second address: 3110C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dl, byte ptr [ebp+14h] 0x0000000b pushad 0x0000000c mov ah, dh 0x0000000e pushfd 0x0000000f jmp 00007FB14C7341C6h 0x00000014 and eax, 5064AB98h 0x0000001a jmp 00007FB14C7341BBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [ebp+10h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C2F second address: 3110C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C33 second address: 3110C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C39 second address: 3110C8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dl, 00000007h 0x0000000c jmp 00007FB14CFE7C20h 0x00000011 test eax, eax 0x00000013 jmp 00007FB14CFE7C20h 0x00000018 je 00007FB1C161D19Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB14CFE7C27h 0x00000025 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C8B second address: 3110C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C91 second address: 3110C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110C95 second address: 3110D06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d pushad 0x0000000e call 00007FB14C7341BAh 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 pushad 0x00000017 mov dx, 8F32h 0x0000001b pushfd 0x0000001c jmp 00007FB14C7341C3h 0x00000021 add eax, 07E4F12Eh 0x00000027 jmp 00007FB14C7341C9h 0x0000002c popfd 0x0000002d popad 0x0000002e popad 0x0000002f inc ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007FB14C7341C6h 0x00000038 popad 0x00000039 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110D06 second address: 3110AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 shr eax, 1 0x0000000b pushad 0x0000000c mov eax, 18BF0EABh 0x00000011 mov ah, EAh 0x00000013 popad 0x00000014 jmp 00007FB1C161D0C7h 0x00000019 jne 00007FB14CFE7C0Dh 0x0000001b inc ecx 0x0000001c shr eax, 1 0x0000001e jne 00007FB14CFE7C0Dh 0x00000020 imul ecx, ecx, 03h 0x00000023 movzx eax, dl 0x00000026 cdq 0x00000027 sub ecx, 03h 0x0000002a call 00007FB14CFF810Dh 0x0000002f cmp cl, 00000040h 0x00000032 jnc 00007FB14CFE7C27h 0x00000034 cmp cl, 00000020h 0x00000037 jnc 00007FB14CFE7C18h 0x00000039 shld edx, eax, cl 0x0000003c shl eax, cl 0x0000003e ret 0x0000003f or edx, dword ptr [ebp+0Ch] 0x00000042 or eax, dword ptr [ebp+08h] 0x00000045 or edx, 80000000h 0x0000004b pop ebp 0x0000004c retn 0010h 0x0000004f push 00000003h 0x00000051 push 00000001h 0x00000053 push edx 0x00000054 push eax 0x00000055 call esi 0x00000057 mov edi, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FB14CFE7C20h 0x00000062 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110D81 second address: 3110D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110D87 second address: 3110D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110D8B second address: 3110E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FB14C7341C8h 0x0000000f push dword ptr [ebp+14h] 0x00000012 jmp 00007FB14C7341C0h 0x00000017 push dword ptr [ebp+10h] 0x0000001a jmp 00007FB14C7341C0h 0x0000001f push dword ptr [ebp+0Ch] 0x00000022 pushad 0x00000023 jmp 00007FB14C7341BEh 0x00000028 mov di, ax 0x0000002b popad 0x0000002c push dword ptr [ebp+08h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FB14C7341C3h 0x00000036 rdtsc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeRDTSC instruction interceptor: First address: 3110E67 second address: 3110E84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB14CFE7C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSpecial instruction interceptor: First address: 4CDD81 instructions caused by: Self-modifying code
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSpecial instruction interceptor: First address: 67949D instructions caused by: Self-modifying code
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeSpecial instruction interceptor: First address: 6C1CA2 instructions caused by: Self-modifying code
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeSpecial instruction interceptor: First address: 760C74 instructions caused by: Self-modifying code
            Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile opened / queried: VBoxMiniRdrDN
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 768
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 768
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 782
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 806
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 752
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeWindow / User API: threadDelayed 2536
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWindow / User API: threadDelayed 2233
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWindow / User API: threadDelayed 2211
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWindow / User API: threadDelayed 2091
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWindow / User API: threadDelayed 2139
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKToolU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\tktool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TySUtilu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\npkfxa.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFWVT64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tkfwvt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKRgAc2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskre64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npacr_32.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyavexcept.binJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFW.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npebsc20.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npasdk.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcv.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKFsFt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npesm.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\np_ck32s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\npkakl.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosksdk64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noske64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKCtrl2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskes64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\NpBWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefuncmgr.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npealert.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\BwtTrust.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\tyav32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKSPXP64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrl.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\np_ck64s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKRgAcu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\tyavexcept.binJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtHk64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet UnInstall\nProtect Online Security\nProtectUninstaller.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npacr_64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKToolu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noska.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npamgr_32.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFtXp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskkbd.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nos_launcher.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosscanner.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefsav.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKPcFtHk.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npefw.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\BwtTrust.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\tkfwvt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKIdsVt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosapp64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKIdsVt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npsf.npbJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\noska.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tknetcfg.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TeCtrl.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskne64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKTool2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TySUtilu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFWU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKCtrl2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwflt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tkfwflt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFsFt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npcf_win_32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npamgr_64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwfltU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKRgFtXp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcp.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsFt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKToolU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKPcFtCb.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certmgr.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npPb.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\nsDialogs.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\NpBWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKCtrl2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKNetCfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskre.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFW.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsFtMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtCb.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKFWFV64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskcv64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\INICRYPTOSDK.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKNetCfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwvt.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKRgFtXp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFt2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskfx.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\np_ck64s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\np_ck32s.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\NpHttpsLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkids.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosku.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\NpHttpsLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKRgAc2k64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrlu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFsAv.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKRgFt2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\tkfwvt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosku64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskne.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsAvMu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nssckbi.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosuseractor.npeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TkPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\BWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\noskp.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\noskp64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKPcFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsAv.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgAc2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\tyav32u.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tkids.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\Downloaded Program Files\nosxplatform.ocxJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npslm20.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgFtu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npkakl.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtCb64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\nosku.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npertd.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npeurlmon.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkidsxU.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossdk64.npdJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\nosksdk.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtHk.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsAv64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKFWFV.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\npeNSISUtil.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskm.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscB7F4.tmp\UserInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\BWT.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosapp.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\x86\TKToolu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\TKTool2k.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKIdsVt64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tknetcfg64.exeJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\npkfxa.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskfx64.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Windows\System32\TKPcFtHk64.sysJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TeCtrlu.dllJump to dropped file
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeDropped PE file which has not been started: C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noskp64.sysJump to dropped file
            Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1712Thread sleep count: 35 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1712Thread sleep time: -70035s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1384Thread sleep count: 88 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1384Thread sleep count: 149 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 7488Thread sleep count: 768 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 7488Thread sleep time: -1536768s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 4348Thread sleep count: 768 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 4348Thread sleep time: -1536768s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1384Thread sleep count: 88 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1384Thread sleep count: 168 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1376Thread sleep count: 782 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1376Thread sleep time: -1564782s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1384Thread sleep count: 187 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 4740Thread sleep time: -30000s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 7536Thread sleep count: 806 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 7536Thread sleep time: -1612806s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 7988Thread sleep time: -150000s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 2072Thread sleep count: 31 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 2072Thread sleep time: -62031s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1156Thread sleep count: 752 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 1156Thread sleep time: -1504752s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe TID: 2260Thread sleep count: 2536 > 30
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe TID: 1428Thread sleep time: -48024s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe TID: 1292Thread sleep time: -44022s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe TID: 7984Thread sleep time: -30000s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe TID: 4812Thread sleep time: -38019s >= -30000s
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe TID: 1628Thread sleep time: -42021s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Manufacturer, Product, SerialNumber from Win32_BaseBoard
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ProcessorId from Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
            Source: nossvc.exe, 00000017.00000002.2350206903.0000000000659000.00000040.00000001.01000000.00000020.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual Platform
            Source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D\\.\PhysicalDrive0AV12NFDLL.dllMicrosoft Hv\\.\VBoxMiniRdrDNVBOX HARDDRIVEVBOX HARDDISKWFGetActiveProtocol%s\wfapi.dll%s\Citrix\ICAService\wfapi.dll%s\Tilon\DstationTilon Co.,LtdDstationTilonVDItosssvc64.dlltoss64.dlltosssvc.dlltoss.dll$moddir$d:\001_work\nprotectz\product\npn60\npengine\enginecommon\npEngineCmnDllInvoker.hpp(102) : [npz::cmn::npEngineCmnDllInvoker::unload]FreeLibrary Engine Module Name : %s, result : %d..\npEngine\enginecommon\npEngineBase.cpp(17) : [npEngineBase::npEngineBase],
            Source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
            Source: svchost.exe, 0000000B.00000002.2413643215.0000010B63C7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVnpDetectVirtualMachine@@x
            Source: nossvc.exe, 00000017.00000003.1442851754.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2351858744.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443136348.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1441455382.0000000000A61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443623302.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1455451875.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1441265076.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1479066249.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030188546.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1462040398.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1443864099.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0*
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002742000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E67000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\hgfs
            Source: nossvc.exe, 00000017.00000003.1440675847.0000000004119000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2030239935.0000000004117000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2360269692.0000000004118000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt
            Source: svchost.exe, 00000002.00000002.2419219305.00000295FFC53000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.1218683751.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1440675847.0000000004129000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.2029728109.0000000004133000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441185131.0000000001239000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441610041.0000000001261000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443579382.0000000005CAA000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1443094814.0000000001272000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441695119.0000000005CAA000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1442599189.0000000001261000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1722689803.000000006ED01000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: uWin32sME9898 SE95 OSR295CENT2000XPServer 2003XP x64Server 2003 R2kernel32.dllGetNativeSystemInfoServer 20128Server 2008 R27Server 2008VistaWorkstation 4.0ProfessionalProfessional x64 EditionEmbeddedHome EditionSYSTEM\WPA\TabletPCInstalledSYSTEM\WPA\MediaCenterStarter NStarterBusiness NBusinessEnterprise NEnterpriseHome Basic NHome BasicHome Premium NHome PremiumProfessional NUltimate NUltimateGetProductInfo%i.%i%i3264Advanced ServerSERVERNTLANMANNTWorkstationWINNTProductTypeSYSTEM\CurrentControlSet\Control\ProductOptionsServer 4.0Server 4.0 Enterprise EditionServerDatacenter ServerStandard EditionStorage Server 2003Enterprise EditionDatacenter EditionStandard x64 EditionEnterprise x64 EditionDatacenter x64 EditionEnterprise Edition for Itanium-based SystemsDatacenter Edition for Itanium-based SystemsWeb Server Edition (core installation)Web Server EditionStorage Server Workgroup (core installation)Storage Server WorkgroupStorage Server Workgroup (evaluation installation)Storage Server Standard (core installation)Storage Server StandardStorage Server Standard (evaluation installation)Storage Server Express (core installation)Storage Server ExpressStorage Server Enterprise (core installation)Storage Server EnterpriseServer Solutions Premium (core installation)Server Solutions PremiumServer Standard without Hyper-V (core installation)Server Standard without Hyper-VServer Standard (core installation)Server StandardMultiPoint ServerMultiPoint Server PremiumMultiPoint Server StandardSmall Business Server PremiumSmall Business ServerServer FoundationServer 2008 without Hyper-V for Windows Essential Server SolutionsServer 2008 for Windows Essential Server SolutionsServer For SB Solutions EMServer For SB SolutionsEssential Business Server Security ServerEssential Business Server Messaging ServerEssential Business Server Management ServerHyper-V ServerStorage Server 2008 R2 EssentialsHome Server 2011Essential Server Solution Additional SVCEssential Server Solution Management SVCEssential Server Solution AdditionalEssential Server Solution ManagementServer Enterprise without Hyper-VServer Enterprise for Itanium-based SystemsServer Enterprise without Hyper-V (core installation)Server Enterprise (core installation)Server EnterpriseServer Enterprise (evaluation installation)Server Datacenter without Hyper-VServer Datacenter without Hyper-V (core installation)Server Datacenter (core installation)Server DatacenterServer Datacenter (evaluation installation)Server Hyper Core VHPC EditionService Pack 6aSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009Service Pack 6
            Source: nosstarter.npe, 00000018.00000003.1551161264.0000000011E64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware USB Monitor p
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVnpDetectVirtualMachine@@
            Source: svchost.exe, 0000000B.00000002.2414360797.0000010B63D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: svchost.exe, 0000000B.00000002.2412719206.0000010B63C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: svchost.exe, 00000002.00000002.2415160419.00000295FE62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
            Source: nosstarter.npe, 00000018.00000003.1550088029.0000000011E75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <List Use="1" id="*hcmon.sys"/> <!-- vmware USB Monitor -->
            Source: nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSIDE_VMWARE_PC = 2,
            Source: certutil.exe, 00000004.00000003.1210850134.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1218458554.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1217958399.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000D.00000003.1287312595.0000000003051000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: svchost.exe, 0000000B.00000002.2413643215.0000010B63C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: nossvc.exe, 00000017.00000003.1485478948.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485223039.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1509207982.0000000004C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVnpDetectVirtualMachine@@X6
            Source: nosstarter.npe, 00000018.00000003.1443579382.0000000005C91000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441375483.0000000005C91000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1441695119.0000000005C91000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1440543644.0000000005C92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWV
            Source: svchost.exe, 0000000B.00000002.2413113040.0000010B63C4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: svchost.exe, 0000000B.00000002.2413113040.0000010B63C4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: nossvc.exe, 00000017.00000002.2349969265.0000000000401000.00000040.00000001.01000000.00000020.sdmp, nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %s[ErrCode:%d]init_fail.\src\npServiceImpl.cpp(3039) : [npServiceImpl::starterThread].\src\npServiceImpl.cpp(2925) : [npServiceImpl::starterThread]===>>>>>>>>> VirtualMachine %d.\src\npServiceImpl.cpp(2915) : [npServiceImpl::starterThread].\src\npServiceImpl.cpp(2906) : [npServiceImpl::starterThread]END - fail to loadLanguagePack.\src\npServiceImpl.cpp(2897) : [npServiceImpl::starterThread]END - fail to readPolicy.\src\npServiceImpl.cpp(2888) : [npServiceImpl::starterThread]END - fail to readandSetPublicKey.\src\npServiceImpl.cpp(2880) : [npServiceImpl::starterThread]======== [ %u ] User Define Control ========.\src\npServiceImpl.cpp(2875) : [npServiceImpl::starterThread].\src\npServiceImpl.cpp(2864) : [npServiceImpl::starterThread].\src\npServiceImpl.cpp(2858) : [npServiceImpl::starterThread].\src\npServiceImpl.cpp(2831) : [npServiceImpl::runStartThread].\src\npServiceImpl.cpp(530) : [npServiceImpl::serviceProc]Service is already exist.\src\npServiceImpl.cpp(541) : [npServiceImpl::serviceProc].\src\npServiceImpl.cpp(486) : [npServiceImpl::serviceProc]1versionuserpolicysuseriduserpolicy
            Source: svchost.exe, 0000000B.00000002.2412487637.0000010B63C13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
            Source: svchost.exe, 0000000B.00000002.2411940079.0000010B63C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
            Source: nossvc.exe, 00000017.00000003.1489988774.00000000046EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware USB Monitor ER K300 I_02
            Source: nossvc.exe, 00000017.00000003.1401103962.0000000003060000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .nProtect Online SecuritywinhvvmbkmclhypervideohyperkbdctxsmcdrvpicatwcommsctxuvipicadmpicakbmctxmcswbcTKFileFilternpnusbldrnhnusbdbusVMware Virtual PlatformVMware, Inc.Parallels Virtual PlatformParallels Software International, Inc.Parallels(R)0x15AD0x1AB8prl_timeprl_tgprl_pvvsockvmcivmkdbvmwvhubvmwaudiovm3dmpvmusbmousevmmemctl\Driver\DeviceNtCloseNtQueryDirectoryObjectNtOpenDirectoryObjectntdll.dllRtlInitUnicodeStringNtReadVirtualMemoryNtQueryVirtualMemoryNtOpenProcessCsrGetProcessId$sysx86$$prgx86$$prgx64$
            Source: nosstarter.npe, 00000018.00000003.1413566203.0000000004B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ]TwinhvvmbkmclhypervideohyperkbdctxsmcdrvpicatwcommsctxuvipicadmpicakbmctxmcswbcnpnusbldrnhnusbdbusVMware Virtual PlatformVMware, Inc.Parallels Virtual PlatformParallels Software International, Inc.0x15ADprl_timeprl_tgprl_pvvmkdbvmwvhubvmwaudiovm3dmpvmusbmouse\Driver\DeviceRtlInitUnicodeStringntdll.dllNtOpenDirectoryObjectNtQueryDirectoryObjectNtCloseCsrGetProcessIdNtOpenProcessNtQueryVirtualMemoryNtReadVirtualMemoryVBOX HARDDISKVBOX HARDDRIVE\\.\VBoxMiniRdrDN%s\Citrix\ICAService\wfapi.dll%s\wfapi.dllWFGetActiveProtocol\\.\PhysicalDrive0AV12NFDLL.dllMicrosoft Hvtoss.dlltosssvc.dlltoss64.dlltosssvc64.dllTilonVDIDstationTilon Co.,Ltd%s\Tilon\DstationLoadLibrary Engine Module Name : %sd:\001_work\nprotectz\product\npn60\npengine\enginecommon\npEngineCmnDllInvoker.hpp(90) : [npz::cmn::npEngineCmnDllInvoker::load]FreeLibrary Engine Module Name : %s, result : %dd:\001_work\nprotectz\product\npn60\npengine\enginecommon\npEngineCmnDllInvoker.hpp(102) : [npz::cmn::npEngineCmnDllInvoker::unload]..\npEngine\enginecommon\npEngineBase.cpp(17) : [npEngineBase::npEngineBase]..\npEngine\enginecommon\npEngineBase.cpp(22) : [npEngineBase::~npEngineBase]..\npEngine\enginecommon\npEngineBase.cpp(157) : [npEngineBase::initEngine]..\npEngine\enginecommon\npEngineBase.cpp(198) : [npEngineBase::loadDriver]fail to loadAfertAuth : %s..\npEngine\enginecommon\npEngineBase.cpp(225) : [npEngineBase::loadDllcheckAuthEx]..\npEngine\enginecommon\npEngineBase.cpp(238) : [npEngineBase::loadDllcheckAuthEx]
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002742000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027A3000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002E67000.00000004.00000020.00020000.00000000.sdmp, 5rh5u9yBNf.exe, 00000000.00000002.1718778706.00000000027BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\VBoxMiniRdr
            Source: nossvc.exe, 00000017.00000002.2350206903.0000000000659000.00000040.00000001.01000000.00000020.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: svchost.exe, 0000000B.00000002.2413113040.0000010B63C4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: nosstarter.npe, 00000018.00000003.1556370282.0000000011E5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware USB Monitor
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeOpen window title or class name: ollydbg
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exeOpen window title or class name: windbgframeclass
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeSystem information queried: KernelDebuggerInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeMemory allocated: C:\Windows\explorer.exe base: 15B0000 protect: page read and write
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" control nossvc 200Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -A -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=anyJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= autoJump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" description "nossvc" "nProtect Online Security(PFS)"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start "nossvc"Jump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" h8kz9q
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -a -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\program files (x86)\incainternet\nprotect online security\ncert\nprotect-root_ca.cer"
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "c:\windows\system32\netsh.exe" advfirewall firewall add rule name="nprotect online security starter" program="c:\program files (x86)\incainternet\nprotect online security\nosstarter.npe" description="nprotect online security starter" dir=in action=allow protocol=any enable=yes profile=any
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Windows\SysWOW64\netsh.exe "c:\windows\syswow64\netsh.exe" advfirewall firewall add rule name="nprotect online security updater" program="c:\program files (x86)\incainternet\nprotect online security\npupdatec.exe" description="nprotect online security updater" dir=out action=allow protocol=any enable=yes profile=any
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -a -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\program files (x86)\incainternet\nprotect online security\ncert\nprotect-root_ca.cer"Jump to behavior
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "c:\windows\system32\netsh.exe" advfirewall firewall add rule name="nprotect online security starter" program="c:\program files (x86)\incainternet\nprotect online security\nosstarter.npe" description="nprotect online security starter" dir=in action=allow protocol=any enable=yes profile=anyJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Windows\SysWOW64\netsh.exe "c:\windows\syswow64\netsh.exe" advfirewall firewall add rule name="nprotect online security updater" program="c:\program files (x86)\incainternet\nprotect online security\npupdatec.exe" description="nprotect online security updater" dir=out action=allow protocol=any enable=yes profile=any
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeProcess created: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe "c:\program files (x86)\incainternet\nprotect online security\ncert\certutil.exe" -a -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default" -t "c,," -n "inca internet co., ltd. ca - inca internet co., ltd." -i "c:\programdata\incainternet\nprotect online security\cert\inca.cer"
            Source: 5rh5u9yBNf.exe, 00000000.00000002.1718778706.0000000002A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32.\src\npTrayMgrWnd.cpp(123) : [npTrayMgrWnd::refreshTray]T
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npicommon.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npiui.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimain_conf.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg7.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npinpnmini.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npmypcalert.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npmypcnoti_t.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npicommon.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimain_conf.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg1.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg2.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg3.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg5.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeQueries volume information: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npimsg6.npi VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Changes security center settings (notifications, updates, antivirus, firewall)
            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
            Overwrites Mozilla Firefox settings
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journalJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journalJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db-journalJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\pkcs11.txt
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
            Source: svchost.exe, 0000000C.00000002.2413689056.0000027F5C502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\AVG\AVG2015\avgrsx.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483794897.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452119185.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $sysx86$\INCAinternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspupsvc.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541356478.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481643365.0000000004B4E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2362987429.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482166683.0000000004B66000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481917007.0000000004B60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\AVG\AVG2015\avgwdsvc.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Program Files\mcafee.com\agent\McUpdate.exe
            Source: nosstarter.npe, 00000018.00000003.1451200654.0000000005847000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451223633.0000000005849000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451274456.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451490972.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $sysx86$\INCAinternet\nProtect Anti-Virus Spyware 3.0\nspsvc.exe
            Source: nossvc.exe, 00000017.00000003.1518478943.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dows Defender\MSASCui.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: indows\SysWOW64\INCAinternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspsvc.exe
            Source: nossvc.exe, 00000017.00000003.1513606302.0000000003A2E000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516987411.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A21000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514163520.0000000003A2E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysWOW64\INCAinternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspsvc.exe
            Source: nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1476199241.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1471184504.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1470808278.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482930953.0000000004BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Common Files\McAfee\AMCore\mcshield.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\AVG\AVG2015\avgcmgr.exe
            Source: nossvc.exe, 00000017.00000003.1481963752.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482166683.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481643365.0000000004B4E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481836548.0000000004B50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\Windows Defender\MSASCui.exe
            Source: nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513774412.0000000003A53000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518478943.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\AVG\AVG2015\avgrsx.exe
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451200654.0000000005847000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe
            Source: nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518478943.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\INCAInternet\nProtect Anti-Virus Spyware 3.0\nspmain.exe
            Source: nosstarter.npe, 00000018.00000003.1453464954.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451534186.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451404777.00000000057A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\Windows Defender\MsMpEng.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518739062.0000000003A27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\AVG\AVG2015\avgui.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555470861.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1554669670.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541206634.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485376834.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363393969.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550487263.0000000004BA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Naver\NaverVaccine\nsvmon.npc
            Source: nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1476199241.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1471184504.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1470808278.0000000004B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\INCAInternet\nProtect Anti-Virus Spyware 3.0\nspmain.exe
            Source: svchost.exe, 0000000C.00000002.2413689056.0000027F5C502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451200654.0000000005847000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451223633.0000000005849000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451274456.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451490972.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\INCAInternet\nProtect Anti-Virus Spyware 3.0\nspupdt.exe
            Source: nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x86$\INCAinternet\nProtect Anti-Virus Spyware 3.0\nspsvc.exe
            Source: nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysWOW64\INCAinternet\nProtect Anti-Virus Spyware 3.0\nspupsvc.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483794897.0000000004BAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x86$\INCAinternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspsvc.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\AVG\AVG2015\avgui.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541356478.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481643365.0000000004B4E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2362987429.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482166683.0000000004B66000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481917007.0000000004B60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\AVG\AVG2015\avgcmgr.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513774412.0000000003A53000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1515005814.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483794897.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\INCAInternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspupdt.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\INCAInternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspmain.exe
            Source: nossvc.exe, 00000017.00000003.1513606302.0000000003A2E000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516987411.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A21000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514163520.0000000003A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\INCAInternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspupdt.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513774412.0000000003A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Naver\NaverVaccine\Nsavsvc.npc
            Source: nossvc.exe, 00000017.00000003.1518478943.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MSASCui.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\Trend Micro\BM\TMBMSRV.exe
            Source: nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481643365.0000000004B4E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482166683.0000000004B66000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481917007.0000000004B60000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481740327.0000000004B55000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451200654.0000000005847000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.000000000584A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451223633.0000000005849000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451274456.000000000584A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $sysx86$\INCAinternet\nProtect Anti-Virus Spyware 3.0\nspupsvc.exe
            Source: nosstarter.npe, 00000018.00000003.1451373317.000000000584F000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451169388.000000000584D000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452064332.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1452119185.000000000585A000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451131638.000000000583E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450688493.000000000581E000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451938610.0000000005854000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1450726504.000000000583B000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451592590.0000000005853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\INCAInternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspmain.exe
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482614952.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482034312.0000000004B61000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgdir$\AVG\AVG2015\avgcsrvx.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Naver\NaverVaccine\nsvmon.npc
            Source: nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469558369.0000000004B7F000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1476199241.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1471184504.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1483442717.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1470808278.0000000004B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\ESTsoft\ALYac\AYAgent.aye
            Source: nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\INCAInternet\nProtect Anti-Virus Spyware 3.0\nspupdt.exe
            Source: nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <b><font color="#22B2F2">Registry Name : </font></b>us Spyware 3.0\nspupdt.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513606302.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A52000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513774412.0000000003A53000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1515005814.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514425621.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\AVG\AVG2015\avgcsrvx.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1469672407.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555470861.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1472936776.0000000004B93000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1554669670.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541206634.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485376834.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363393969.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Naver\NaverVaccine\Nsavsvc.npc
            Source: nossvc.exe, 00000017.00000003.1554963119.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550729677.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555869407.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541356478.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1542596741.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1551778599.0000000004B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Virus Spyware 3.0\nspupsvc.exe
            Source: nossvc.exe, 00000017.00000003.1481963752.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481442659.0000000004B47000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482166683.0000000004B54000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481643365.0000000004B4E000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481836548.0000000004B50000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Windows Defender\MsMpEng.exe
            Source: nossvc.exe, 00000017.00000003.1485309795.0000000004BAA000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1555470861.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482795814.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482874593.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1554669670.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1481568218.0000000004B92000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1541206634.0000000004BA3000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1485376834.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2363393969.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1482399824.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1550487263.0000000004BA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\mcafee.com\agent\McUpdate.exe
            Source: nossvc.exe, 00000017.00000003.1513606302.0000000003A2E000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516987411.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513484678.0000000003A21000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514163520.0000000003A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysWOW64\INCAinternet\nProtect Anti-Virus Spyware 3.0 for Windows Server\nspupsvc.exe
            Source: nossvc.exe, 00000017.00000003.1517046055.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517347849.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1521050707.0000000003A26000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358512941.0000000003A10000.00000004.00000001.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517436773.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518667352.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files (x86)\Windows Defender\MsMpEng.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
            Source: nossvc.exe, 00000017.00000003.1514907043.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1518635288.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517633359.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517694114.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1520984546.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1517249254.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513989352.0000000003A55000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1513349278.0000000003A52000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000002.2358629835.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1516933338.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, nossvc.exe, 00000017.00000003.1514590312.0000000003A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\ESTsoft\ALYac\AYAgent.aye
            Source: nosstarter.npe, 00000018.00000003.1451989515.00000000057D6000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458559317.00000000057E7000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1451624620.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1458006417.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1453464954.00000000057DB000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456177161.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1527005019.00000000057EF000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1528388527.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, nosstarter.npe, 00000018.00000003.1456627321.00000000057F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $prgx64$\Windows Defender\MSASCui.exe
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db-journalJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\Desktop\5rh5u9yBNf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.iniJump to behavior
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert9.db
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db-journal
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\pkcs11.txt
            Source: C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\pkcs11.txu

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
            Windows Management Instrumentation            		2
            LSASS Driver            		2
            LSASS Driver            		311
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Obfuscated Files or Information            		1
            Network Sniffing            		1
            Network Sniffing            		Remote Desktop Protocol1
            Browser Session Hijacking            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Service Execution            		21
            Windows Service            		21
            Windows Service            		1
            Install Root Certificate            		1
            Credential API Hooking            		234
            System Information Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Registry Run Keys / Startup Folder            		112
            Process Injection            		1
            Software Packing            		NTDS1
            Query Registry            		Distributed Component Object Model1
            Credential API Hooking            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		LSA Secrets561
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            File Deletion            		Cached Domain Credentials25
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items132
            Masquerading            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt25
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            Remote System Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640358 Sample: 5rh5u9yBNf Startdate: 17/03/2025 Architecture: WINDOWS Score: 76 105 supdated.nprotect.net.edgekey.net 2->105 107 supdated.nprotect.net 2->107 109 7 other IPs or domains 2->109 117 Malicious sample detected (through community Yara rule) 2->117 119 Yara detected HtmlPhish72 2->119 121 Yara detected GuLoader 2->121 123 8 other signatures 2->123 9 5rh5u9yBNf.exe 41 662 2->9         started        13 nossvc.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 93 C:\...\npcnpnstock_bemy_koscom.npx, DOS 9->93 dropped 95 C:\Program Files (x86)\...\npupdatec.exe, PE32 9->95 dropped 97 C:\Program Files (x86)\...\nossvc.exe, PE32 9->97 dropped 101 258 other files (44 malicious) 9->101 dropped 141 Installs new ROOT certificates 9->141 143 May modify the system service descriptor table (often done to hook functions) 9->143 145 Uses netsh to modify the Windows network and firewall settings 9->145 157 3 other signatures 9->157 20 nosstarter.npe 9->20         started        25 certutil.exe 4 9->25         started        27 certutil.exe 1 9->27         started        33 7 other processes 9->33 99 C:\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 13->99 dropped 147 Query firmware table information (likely to detect VMs) 13->147 149 Creates files in the system32 config directory 13->149 151 Creates a FSFilter Anti-Virus service 13->151 153 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->153 29 noske64.exe 13->29         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 15->155 31 MpCmdRun.exe 15->31         started        103 127.0.0.1 unknown unknown 17->103 file6 signatures7 process8 dnsIp9 111 nsrs.nprotect.net 43.200.91.241, 443, 49744, 49746 LILLY-ASUS Japan 20->111 113 inca-supdate.dl.cdn.cloudn.co.kr 61.111.25.114, 443, 49738 LGDACOMLGDACOMCorporationKR Korea Republic of 20->113 115 2 other IPs or domains 20->115 81 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 20->81 dropped 83 C:\Program Files (x86)\...\npcstt.npx.bak, data 20->83 dropped 131 Query firmware table information (likely to detect VMs) 20->131 133 Installs new ROOT certificates 20->133 135 Tries to harvest and steal browser information (history, passwords, etc) 20->135 139 2 other signatures 20->139 35 certutil.exe 20->35         started        39 certutil.exe 20->39         started        41 certutil.exe 20->41         started        51 12 other processes 20->51 85 C:\Users\user\AppData\...\key4.db-journal, SQLite 25->85 dropped 87 C:\Users\user\AppData\Roaming\...\key4.db, SQLite 25->87 dropped 89 C:\Users\user\AppData\...\cert9.db-journal, SQLite 25->89 dropped 91 C:\Users\user\AppData\Roaming\...\cert9.db, SQLite 25->91 dropped 137 Overwrites Mozilla Firefox settings 25->137 43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        53 5 other processes 33->53 file10 signatures11 process12 file13 69 C:\Users\user\AppData\Roaming\...\pkcs11.txt, ASCII 35->69 dropped 71 C:\Users\user\AppData\...\key4.db-journal, SQLite 35->71 dropped 73 C:\Users\user\AppData\Roaming\...\key4.db, SQLite 35->73 dropped 79 2 other malicious files 35->79 dropped 125 Overwrites Mozilla Firefox settings 35->125 127 Tries to harvest and steal browser information (history, passwords, etc) 35->127 55 conhost.exe 35->55         started        57 conhost.exe 39->57         started        59 conhost.exe 41->59         started        75 C:\Users\user\AppData\...\noskes.dll.nz, 7-zip 51->75 dropped 77 C:\Users\user\AppData\LocalLow\...\9944316a, 0420 51->77 dropped 129 Installs new ROOT certificates 51->129 61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        67 8 other processes 51->67 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.