Windows Analysis Report
fjL0EcgV6Y.exe

Overview

General Information

Sample name:	fjL0EcgV6Y.exe renamed because original name is a hash value
Original sample name:	6bcab686349807f131a92c8fe7a4d736.exe
Analysis ID:	1437711
MD5:	6bcab686349807f131a92c8fe7a4d736
SHA1:	487846c6d51f8df894bb174542a81fd0eb25e1ae
SHA256:	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926
Tags:	exeRiseProStealer
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Drops script at startup location

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disables UAC (registry)

Drops script or batch files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fjL0EcgV6Y.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe

Avira: detection malicious, Label: TR/AutoIt.mzmcv

Found malware configuration

Source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://49.13.229.86/c73eed764cc59dcb.php"}
Source: 32.0.jok.exe.490000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}
Source: 31.2.rundll32.exe.6be60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
Source: RegAsm.exe.7772.25.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop"], "Build id": "LGNDR1--ketamine"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fjL0EcgV6Y.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: @@@@@@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ">>""&&VWXY
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .226622>>22lmnopq((\]^_`abcdefghijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: V/yVs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Vs\*.
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 1_to7ens]
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ,ass+ordjAss}ord
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 6=@@J@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: KLM0OPQ-'!#!/!#{\|}
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: }r4BO
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: !rie
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tGR>lk`5
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ReleaseDC
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Fgph@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: E7Q)y
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: login:
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: 193.233.132.56
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: /Pneh2sXQk0/index.php

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00226A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

7_2_00226A80

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Uses 32bit PE files

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://49.13.229.86/c73eed764cc59dcb.php
Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	IPs: 193.233.132.56
Source: Malware configuration extractor	URLs: 185.215.113.67:26260

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: la4RG5LhUShae5ag2mFmRdea.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: UyBcuun7lvdsc1U8v04bEvjS.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: I4LhcLo5s9gVJdPowLL5oSzp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C719B9p0FfrJspWW8NACmoaE.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: MCN1KYKWa3qY8Q8lKV2maDTO.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: bfSaxNj6PaRbQoH1x6AgorQM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: XmniUOpJt9KGe1pM4XamnqZH.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: J8btV6htPGHeL2Yg1SgCaGFn.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: 3bpaooYORdL1zGgZZfaU6raM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: M7rZI00dvqcykJFiBeuGFS7T.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: zhcyBjWDtf9NR8VTfZLAmUWa.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: GJ9O0qofKCDUPenZCkorX2YL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: iftEMaYodvzM2QCJfFMzhqiG.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: lIBiF8F27nqVHoA6YIdbqFcI.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: yqUOk3nzvlJdWid9vqJoE5bL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TPSAPLN3OIImBCuzU9uj0qm5.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: NE6WkYn9fBQoC9a4gd2yFZXX.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: x6geX33yrj2DQ3LHzZRqUqDy.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 51.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2698740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2695d00.0.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FDB670 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

2_2_00FDB670

Source: 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: K https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQyCImb_9cRDrKcUUsrjjBJhwC0Hyy9a0pW5vmMGs8rXmt9Y8EEn3tZ63u-DOF1VvxYXGAK-aw equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&h equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQxq7WLN6IjqvXj3bSYD7y0Ga0eg2SR6TZWYx2Ejint8ILvQao0P-v2i4jfUB13lX2_DKtde7g&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-485649803%3A1715106767804271&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000003.2527725830.0000000003853000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account\| equals www.youtube.com (Youtube)

Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeata
Source: MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe~b
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/00021002
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/405117-2476756634-1003
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/B4-6C85480369C7
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/e01b58d87e8e6fbbace30804042ba5ce902415450#
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php6.exe:Zone.Identifier
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpRp8UCqAMTqfIMjU07d3NR=a5c
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpUsers
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcoded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded:
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpeE
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpt
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpu
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/ws
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exetw2
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/5=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/OneDrive
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/ta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Data
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php#
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D6AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php$
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php00088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php4p
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8w
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpUsers
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpd
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpdedE
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpe
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phph
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpm
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phppData
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpyu8
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe0.1
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe963
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exeeam
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exeoin
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeater
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/random.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe/z=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exep
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe~r
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/jok.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exeIHZ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exe~HQ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exejr
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/amert.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/random.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/wB.exe
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/3.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/73eed764cc59dcb.phpI
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dllUG
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dllcD
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll_
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dlll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllv
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/softokn3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll=D
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dllXN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.0000000021965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php4b
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpData
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpbe85b06b74ee94f19768b5dcb524670
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phplKK
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phponCash
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.221.151.47/install.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.phpt-
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9K
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000029.00000002.3525660003.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000140F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api4
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiP
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/h
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/v
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: jok.exe, 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/.
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102=Eg
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102O
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102P
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102V
Source: MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102_
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102y.co.ukd
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102hcon
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com/980979aa037665b1a96df3348db08dc0/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL&f
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001061000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/#N
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000109A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/RE
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ocal
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000107B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.1020
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102q
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102A
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/980979aa037665b1a96df3348db08dc0/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comH
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHdk
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHvu
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4c
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeW
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp, FBI40obsDIWEYEPEV328oLc.zip.33.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT?b
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTPROCESSOR_LEVEL=6PROCES
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTh
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTl
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTrJ
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789324736.000000000110F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2821833886.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2794468417.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot07
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botK
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlaterL;
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botr
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/chrome.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2526350598.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2627476418.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3903887566.0000000003876000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2686000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4104870630.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/R
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/api
Source: RegAsm.exe, 0000002F.00000002.2455143104.00000000014D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop:443/apilike

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00245F70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,702B74A0,DeleteObject,DeleteObject,ReleaseDC,

7_2_00245F70

Installs a raw input device (often for capturing keystrokes)

Source: 2c9ff67496.exe, 0000000B.00000003.3919375581.000000000385A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA

memstr_e2132641-c

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3C7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3E7.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe entropy: 7.99595937804	Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: swiiiii[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiy[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiy.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

Binary is likely a compiled AutoIt script file

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ec53eccc-a
Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_167667d0-9
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2559f638-2
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d1123c48-6

PE file contains section with special chars

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Windows\Tasks\explorta.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Windows\Tasks\explorha.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012918	2_2_01012918
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0101703B	2_2_0101703B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012480	2_2_01012480
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01016F1B	2_2_01016F1B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01018380	2_2_01018380
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_010167C9	2_2_010167C9
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01007633	2_2_01007633
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0104D250	2_2_0104D250
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A002D	7_2_001A002D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FF050	7_2_001FF050
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0020A180	7_2_0020A180
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F6330	7_2_001F6330
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FD320	7_2_001FD320
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023E3B0	7_2_0023E3B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F03C0	7_2_001F03C0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0029F480	7_2_0029F480
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00237580	7_2_00237580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F8630	7_2_001F8630
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0016B8E0	7_2_0016B8E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E1B90	7_2_001E1B90
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0025AC30	7_2_0025AC30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FAEE0	7_2_001FAEE0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023EFB0	7_2_0023EFB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3000	7_2_001F3000
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001971A0	7_2_001971A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002042A0	7_2_002042A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A036F	7_2_001A036F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E4560	7_2_001E4560
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0018F580	7_2_0018F580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00203590	7_2_00203590
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A85F0	7_2_002A85F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A7690	7_2_002A7690
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00247760	7_2_00247760
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B47BF	7_2_001B47BF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019A928	7_2_0019A928
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019C960	7_2_0019C960
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001ADA86	7_2_001ADA86
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024FBA0	7_2_0024FBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024EBA0	7_2_0024EBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8BB0	7_2_001B8BB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00294C70	7_2_00294C70
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A6C50	7_2_002A6C50
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A5D10	7_2_002A5D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A1E30	7_2_002A1E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8E30	7_2_001B8E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00252F30	7_2_00252F30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FFFFF	7_2_001FFFFF

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: String function: 0017ACE0 appears 86 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872

PE file contains more sections than normal

Source: aea7caadbf.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: random[1].exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: MPGPH131.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: explorta.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: fjL0EcgV6Y.exe	Static PE information: Number of sections : 12 > 10
Source: RageMP131.exe.7.dr	Static PE information: Number of sections : 12 > 10

PE file does not import any functions

Source: file300un[1].exe.8.dr

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: swiiiii[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 1.00537109375
Source: fjL0EcgV6Y.exe	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: fjL0EcgV6Y.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: explorta.exe.0.dr	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: explorta.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: amert[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert[1].exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: amert.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert.exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: random[1].exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: aea7caadbf.exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorha.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: explorha.exe.6.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: RageMP131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: MPGPH131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@384/420@0/43

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:500:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Users\user\AppData\Local\Temp\5454e6f062

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aea7caadbf.exe, 00000007.00000003.2763923547.00000000058B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2760437173.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2756730026.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2829759297.00000000058A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2781020740.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2784972575.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2771103050.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2774016505.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4575050800.000002161D618000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Source: amert.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fjL0EcgV6Y.exe "C:\Users\user\Desktop\fjL0EcgV6Y.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wsock32.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: version.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wininet.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: slc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: fjL0EcgV6Y.exe

Static file information: File size 1804304 > 1048576

Source: fjL0EcgV6Y.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x187c00

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Unpacked PE file: 6.2.amert.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 8.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 9.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;

Binary contains a suspicious time stamp

Source: jok[1].exe.8.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_0022F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

7_2_0022F200

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains an invalid checksum

Source: explorha.exe.6.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: amert[1].exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: NewB.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: NewB[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: alexxxxxxxx.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: cred64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: cred64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: jok[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: swiiiii.exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: sarra[1].exe.2.dr	Static PE information: real checksum: 0x25c164 should be: 0x25b84a
Source: clip64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: install[1].exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: clip64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: amert.exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: jok.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: install.exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: swiiiii[1].exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

PE file contains sections with non-standard names

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name: .vm_sec
Source: fjL0EcgV6Y.exe	Static PE information: section name: .themida
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name: .vm_sec
Source: explorta.exe.0.dr	Static PE information: section name: .themida
Source: explorta.exe.0.dr	Static PE information: section name: .boot
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa
Source: sarra[1].exe.2.dr	Static PE information: section name: qliweygd
Source: sarra[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert[1].exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert.exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert.exe.2.dr	Static PE information: section name: .taggant
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .vm_sec
Source: random[1].exe.2.dr	Static PE information: section name: .themida
Source: random[1].exe.2.dr	Static PE information: section name: .boot
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .vm_sec
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .themida
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx
Source: explorha.exe.6.dr	Static PE information: section name: ouenqhoa
Source: explorha.exe.6.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name: .vm_sec
Source: RageMP131.exe.7.dr	Static PE information: section name: .themida
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name: .vm_sec
Source: MPGPH131.exe.7.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: section name: .00cfg
Source: alexxxxxxxx.exe.8.dr	Static PE information: section name: .00cfg
Source: cred64[1].dll.8.dr	Static PE information: section name: _RDATA
Source: cred64.dll.8.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FED10C push ecx; ret	2_2_00FED11F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push ebp; mov dword ptr [esp], edx	7_2_005E1C33
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 7ACA4E51h; mov dword ptr [esp], ecx	7_2_005E1D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 3065C6BDh; mov dword ptr [esp], esp	7_2_005E1D18
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00193F59 push ecx; ret	7_2_00193F6C

Source: fjL0EcgV6Y.exe	Static PE information: section name: entropy: 7.9986498410293665
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot entropy: 7.956255917420769
Source: explorta.exe.0.dr	Static PE information: section name: entropy: 7.9986498410293665
Source: explorta.exe.0.dr	Static PE information: section name: .boot entropy: 7.956255917420769
Source: sarra[1].exe.2.dr	Static PE information: section name: entropy: 7.924648547837475
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa entropy: 7.9321971040715535
Source: amert[1].exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: amert.exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: random[1].exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: aea7caadbf.exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: explorha.exe.6.dr	Static PE information: section name: entropy: 7.984896223453351
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: RageMP131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: MPGPH131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: swiiiii[1].exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiy[1].exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696
Source: swiy.exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\1000021002\2c9ff67496.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amert[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiy[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat

Creates job files (autostart)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Windows\Tasks\explorta.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGxF8QiZwcaGkQdKkNxhjtKC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DaF2Olxq73DrcM5XABIaSDSs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0AhsRiT9HXP8nUVjVsC7lnJ0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gJg50l6myURZCwtjufWOVpuQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r2YWMyz1YP2FRpENqKhaRZyt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QdpodRlWnGVsi1g0pQlfyjkP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cybr2MFwU04XAQwxPolKMqQO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z40K3kSz8nbFzfavMmb2eQ1n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ud84rpY6iPONwnxDRebDCuje.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDPvMcSCVReoFfNwWf9VtsJX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riJi6LbnhEUeeWoDdafUeGUh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cx4e8RO84usGaXQVOUIGUHN7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMtjKcNXah8bWY1GB43Z2Nvo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twq4PH3MymMUgP37K2gZssJh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNNHEyhgRrOs4sf0Abdt3Wtz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dpHGv1tNgh6UmtLh4Mqkjgjv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hSCCnQw7GVDGmVOXtfvP2hU8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jUWcmuyDRAqLaCBd9Dir7NUA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZR34XbNproylHK1OhCoumicm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFmSJTQNwHQpsEsQ8FhGjVhf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCGrdnJ1qQVZI63zkxF23uXt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iL5NcfykjvYjelixOHPRaZHt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6FszJF4Jwp3QxyxLpDvQzAl2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dx9XlsFGiH3rpffDOMJTlVCT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GVdArWrvqFumsoLu9aCMU9n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L27QyUwBuL8LDeoeiTYngDXN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zf4TbZ9xgzGXCn5nRSi3ASnS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHfwD6qh2lBvC75Opce7fium.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jk5Ed8sbV1MdGoz8FX4N9Hp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdAu1py9oGqttgGdYGDbSYEP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGCuCvTDug6xrGNCcg8Zzr4Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87Myp1xPYg474LfEvPhin1sM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ok8j6Gi15r9nn69GkEMiN0f.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvTF5Stn8q8opEUq3BUf9Rv0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLSA4x4asjbGy8gzHU30TYG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WNOBUZbm9yxe1iRKWoynoUIy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vo4ffLpBFZ5sdbnp27l8y074.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kPJfV3ZQezcsvjAhmetWY8Y8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xP7yTfvHKKcmGH9LL4Y0EV5l.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCcYLhQDhaKCD8C2TL308Ccy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4HuOT9Y3iOProWVE46tkp5iF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qIV5IkUFJT6RzFUeYYNriiUV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hPV8AWYTryNpE1mC5rBtXit0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\liIn7TjvcDqHfsnz7CkJCEKM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYOpd6e3YCsTXY2lWZg8CTug.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WDgC9U0r7503UsfGkF2RRn3x.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiaMMQARpLPsDSLsvQ9qjDcs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tF8eEwyMMvkaTDsee1xL3HLS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdSL4NdEKZVGIWPsxIYWdkjz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brLaHNHGLFYzGG6LomG1B4Tq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rZgSTCkIvN8yd8LayN7at2rk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9lhml6yObMMtVfHgzhCEXKiW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TQ7Xj8C54JgaNX9piUAHzDC2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDZBDFrQOFQSKgaXcgr0m0SH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIVjzIwHnUmpEmAuV0FqOhZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLDKPYpbZFVU5NBr5mETep15.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsnDe5krusoqelWGCXOp3Ese.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80Iomx6dMXCqhiHR5OZ8eWyc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iMvChnakRPEkaD9Vn8Vadnrf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46J92a3ClQAsYFD6LVy9eCdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stm7mydXoCajWO8whM7xdLvc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Sdb7d8DprhURPQDGAKSK94j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1pHRZ1WVTkwE1Jqqj49K6TVM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wcn2wv9yjThIe2YI0pq7eSRN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3HBynVapH8nz8IySMCRtzjIo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lbsaepAiLNJYR1eyWB3aJPen.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98JvCEwV6EjOk0MbNLLOtSSq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqxMDrzhq4w4Wyoz26je6XFO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YZwOWglUJKZNfk0Tr6ufVqnF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9oim7S2Do6aMr062mmsJ8og6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1OUEB4W7HwU4gIL2MQvEH1zP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7jzqF6B7KYhIwop5Du95n6t0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0g2ftn8MzMEKjC1SL91RWtO0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spQnYLsoZn8FuPq7Rq7CHj3C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90sjRPCwDoM2H2uL8wp1VHna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5IpslyurCImJpLxB2skJQKtk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dMlEgFklgLyUXbgOt2CQSyeo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ouwt4wjaBzBbldWsocbACzsI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgnCc8y5AIKgge6nJLgAKezu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ydL2O2Rp2S7GYzpUl5sssvWL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53G4C7fkisr75N0k0Yr3sc1j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YhaxdmO6NS59ZyhzMB2qT76V.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BcXOICI69P2jzAegsKAB9xIZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cEElHYdot58DykVLbQVOezn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yEv7UzOa4D2SQVTKdy0KZBrz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD86VQ7j1YxDcHW3sRNL2keZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0GMv9jZTcSw3m2Zzo1oAc5Kp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMSbk05eVuh0cDCaZ05cqYYm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LCtB7VLSyqko0a8UPu9cDXNs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5eoWgqllqSYAN6GnQgnRWOyK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pe2zVb5Lx59tdswPSzNRCctx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8tScOKc2FhcNTydZgmwXpKG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MF1n1MMRavEUlAvxHRMPbdvM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkzNDwjKmksIzh7O57WF1ALJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyAKpWmpR7jV1gZPnSl06Cdn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njwwrVvaL3wGhJS4ZxillTvY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiAPJYfgX9RwDDruEp6r5bnw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgz7tPPFnFUHpWfqwocbe2NH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDgLEqYP2vYDLgaMARikOx9C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ijWfD0OEdNC6VkDu24y3Rne.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zRfMhMIC0AjDney9eMJdTjf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DyQcp4eyTi30uvGlVwNKPZWh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\223Wr2Fp2qzADNFnnB7poHrJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FXCwMu1qq8h2DZK7BzuD0YTA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSL5hB44p9iAfNXRGSPd5HdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMWAVeXs6h4p9OUG1VPvRvUf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g3U1TJxNY6EWdrE5XnfwjDNZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvsAqBcs14MSMj5n8WcpjIQJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jyNSGsdxxLbtbZT1tgJZbFBN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTvMja1w8IFflYe4c1dWcn2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzTXHdO2770KAyXRmuUqLq0v.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBifmCHAE32dJaBTudWeQeic.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p1DEZhGyn4e3rEGBiwRbbVS5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RO0wJRSV6jerStwWPZ7Qg7Es.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opa6VpUVU4ItMsikkorVFHGh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMiyYzXywQQ6HUsYsiYCgMTf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0pgNNYepfpd1ep72J4H70XqG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmYshULAdXuSoLNh9KiorD58.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UhNz9jeL1xn8sCR8SjowJpOc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRUjFbJoTvrGefLBcITlKfd9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlsvkS6ByVyXxkmQMdGfEcfr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cyLJ3m7ZPJSLd3ZuRVxbnE3s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isKrb1wLEweQlNV1B0xqzvxk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4tAPySWDAPFfsDLEdFtyXetO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMxR9o5aAvZMrjCQUhD9HCL1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9PLm3CoXN6343EaXDXwAfru9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ZzCXoj423gmjbO1IwxWNDHP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tg5rCqW3mqvoxBUo1G1Of67b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqr25Evsg9WOTrsZ0VQQcZl8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mazxvv4LSujOl8iDjugFvUbN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lin1MFBl3hwvuCO3b41Oausr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z7n7OAst48KiwRxw3CThSB7H.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beTl29zkSOhao4hDAQ3xc2IX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2G0bqE887F5d6XIWH4lyRCS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BPtxlAAYArafirsKvhTulnE8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fe7rLLgjrc7oFSlDzs5a0QrD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6MpvBSYy7QSy59FE2mASGDR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0YyyGkClVNh7AiOB60bb5xx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEGRZKNIwf60Lgl1MBoJQ0ZR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvvH2hK6rryg4Cg1rwqWElGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LisYZCjcRKMOA9tgqlvWBYFX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CNfd5FiEPcxMOKTNBgdpS1PY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UOqMHoQ6sJWPszKy9pdAJESM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgNmv2f3PC4ea6prF24Y1Q3O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e51Og1eFOzino0O7DaaBhKzx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmJNQ79PtAIeJXJjb4pH4xzP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flZPnObYdJxjXam4b7Afu6fW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uf6B5fw4fXszXeBdZJje8qoI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5mRkxrSVZ8mQXdnkR0bcs9BN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2I3VgiKnHXlxEW8sZRfqj3o.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTUA6hJRQqZfaaHxpQsjvDGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCgckEGm4PGsBp4hNII9RWCb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUgvnBNq9F0hYR8cgb1rDE7N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Se1CGrooWTbosMPUIM3bKpgi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCWH8TaW9IQZKg5DQkHbDqxJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuvvB4T4Z5K1LwZb28zOvoO7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDlZpZ3M3en2qQO1cfoPA1I1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whVnM9rGJ13QjhGc1Rt16wa2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ypAzZbAHcREafMGRflK8FqL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6VNYKWyURTETEJdXck74Vgpa.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FFTGVMEfsqk6j5oSz6zolzfL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ly548Y6PjIWHZ05puZx1i8N8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bixO5L74B9ixnhuSceKTzqO3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlyNt4NgQIAJoJxWDPAmAsPv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ok6RlED8S3NTX5X3U5Jy2kCe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02yWcihZkPqdFfZMeYSvhncc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NT0kx2lWWZ91znDneizhQaHo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IRxeCoXJY6JkXTxGsdt0TUFl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sLBemkmbPAWlcMw9HPzyIWd1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L2O86RPVrJVS3laNoEySAhRr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUXJBtnLfTGR9tyzbLiQcmcD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jljpEbOjbYACwFqIBm1kiJGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2XUzlA8k5WK5zlvt3tTJwImN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zFgbHWM50vrkEjI3vzuyBIW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dL9MJob9nWX8FZAYyWD9Ut4N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBriyiDzNpHyax19IH3WQHvV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLoIrKhz34gPeslplYeXvTYE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\maiZkA6ZHQSr4zLaqV7nMF8g.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CK8mgIhAZK0QzLNTNZuSbUoH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zbz0wpakMIyBfTSoyYM85bCt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVh0F5xHsjXT8AKR9GZ1WCxY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N5je2TuP0NZeaqaqdxYy85NF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKZYxLRDuoUz2qJHflbvTYna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F4jGAqx0AlFkEFV9d1HGs00R.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AR4dLubUhSpG7yYwe01z0wt1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OzzXoIKlVGWCCm8n1jA0R77y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44FJzHoQ1A4IsV1f1ac9TihC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A7fQLTArS05zuFFcZCiF4aV9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U9kQAbIjmfH5gnYDkkcr5N0B.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxSMT75ZK9xqII2EvqG5wUyR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGgboOj6M0Japikm1aF93yr1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nVhAOQdd2NnYXtsOhH2CoEIv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft0WOttlZlpKpMdZSnKtpGBX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TqqykfPo7pEIpGfLS98j6JLn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvWH6jTdmaobHQpeKa8QMfmF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEi7QcndVjucI1YTwi4LH8yG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOi4FRPVOEbPzOmbwntlzt2Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\euZx2LVZcKmVfRuQHSHBly5W.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K6ER7CKyfGlYZfnc9LFL2pPe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dSTotanv7U42nerMY8Xbncl5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NHebJu3zFkPDrak3auvIjrSB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1zoVu5VJKkUoNKt6ZUPBgGLd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iW32fBwuXqTRXkwTTV9tnE4Y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXVNvm9czP30VfGRKOb8NQ99.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gkdNInesmzVzVnL58vVmpOC0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElwTXFgYpDJPq6ia2zSutSfk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50nriTd7pYXWjJrxKQVsJbjK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DjAynFk5t26gdRT9HQ6r6Ha4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zvydu6CveySMcgpTmnCqZHFi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0mI3ziaaiGwEZw2JcH1QmfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERJjdWXBMC4KwkZbMy3aNp7s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4VWKGnOZbSrWJcYB0IuLOHh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m47NhrS8mJ7FJOyuNP7YLcDb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h131SDDbHMqABr109sBD1eGu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OltYTqremlJnfAVhyJtnVrc.bat

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F47A second address: E9F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F495 second address: E9F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102050F second address: 102052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102052C second address: 1020539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1020539 second address: 102053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102053E second address: 102054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102054C second address: 102055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F56D second address: 101F5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F9E7 second address: 101FA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA00 second address: 101FA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA0A second address: 101FA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA23 second address: 101FA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FBBC second address: 101FBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AA second address: 10232AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AE second address: 10232F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232F9 second address: 1023308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023308 second address: 102330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102330D second address: 102336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102336D second address: 1023392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023392 second address: 1023398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023398 second address: 10233BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10233BC second address: 1023410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023410 second address: 1023416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023416 second address: 102341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102341B second address: 102342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102345F second address: 10234B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234B0 second address: 10234C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234C7 second address: 10234CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10235CD second address: 102362A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007FCC1D4AC756h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007FCC1D4AC760h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jng 00007FCC1D4AC756h 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 jnp 00007FCC1D4AC75Ah 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 pop edx 0x00000032 pop eax 0x00000033 add dword ptr [ebp+122D3294h], ecx 0x00000039 lea ebx, dword ptr [ebp+1245814Ah] 0x0000003f mov esi, dword ptr [ebp+122D397Ah] 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push esi 0x0000004b pop esi 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102362A second address: 1023630 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023748 second address: 1023752 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023752 second address: 102377D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jns 00007FCC1D4AF187h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102377D second address: 1023810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007FCC1D4AC756h 0x0000000c jnl 00007FCC1D4AC756h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007FCC1D4AC762h 0x0000001d pop eax 0x0000001e mov ch, al 0x00000020 lea ebx, dword ptr [ebp+12458155h] 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FCC1D4AC758h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov cl, bh 0x00000042 add dword ptr [ebp+122D27A1h], eax 0x00000048 xchg eax, ebx 0x00000049 jns 00007FCC1D4AC76Ah 0x0000004f jng 00007FCC1D4AC764h 0x00000055 jmp 00007FCC1D4AC75Eh 0x0000005a push eax 0x0000005b pushad 0x0000005c jne 00007FCC1D4AC766h 0x00000062 pushad 0x00000063 push edx 0x00000064 pop edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042922 second address: 1042926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042926 second address: 104293D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104293D second address: 1042947 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042947 second address: 1042958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCC1D4AC75Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042958 second address: 1042970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007FCC1D4AF17Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042970 second address: 1042976 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF0 second address: 1042DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF6 second address: 1042DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042F46 second address: 1042F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 popad 0x00000011 pushad 0x00000012 jnc 00007FCC1D4AF176h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433C7 second address: 10433D9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433D9 second address: 10433DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433DF second address: 1043428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FCC1D4AC772h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007FCC1D4AC756h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AC75Fh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043428 second address: 104342C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043593 second address: 10435B9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC764h 0x0000000f jne 00007FCC1D4AC75Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044310 second address: 1044314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044314 second address: 104431E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104431E second address: 1044325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A3E second address: 1012A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A42 second address: 1012A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FCC1D4AF176h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 jl 00007FCC1D4AF176h 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FCC1D4AF181h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10495E6 second address: 10495EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049C90 second address: 1049CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CC5 second address: 1049CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jp 00007FCC1D4AC75Ah 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CE1 second address: 1049CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048453 second address: 1048464 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048464 second address: 1048468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E4D second address: 1049E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E54 second address: 1049E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050652 second address: 1050661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105092E second address: 1050934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050934 second address: 105094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC766h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105094E second address: 1050952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10537B3 second address: 10537B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053CE2 second address: 1053CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053DC4 second address: 1053DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10544B6 second address: 10544C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10548B2 second address: 10548B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558B9 second address: 10558BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558BD second address: 10558C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558C1 second address: 10558E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF188h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056905 second address: 105691B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FCC1D4AC75Ch 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1057356 second address: 105735C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105735C second address: 1057360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058744 second address: 105874E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058516 second address: 105851A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10591DB second address: 10591DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105C41C second address: 105C420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105D3F2 second address: 105D3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E32B second address: 105E335 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E335 second address: 105E33A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F32F second address: 105F333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5AB second address: 105E5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5B1 second address: 105E5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F46C second address: 105F471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F471 second address: 105F477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F536 second address: 105F54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F54B second address: 105F551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F551 second address: 105F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1063E55 second address: 1063E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AC769h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE3 second address: 1064EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE7 second address: 1064EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066CA1 second address: 1066D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FCC1D4AF178h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov bl, al 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FCC1D4AF178h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov di, si 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AF183h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D12 second address: 1066D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D18 second address: 1066D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066E83 second address: 1066F3D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC76Dh 0x00000008 jmp 00007FCC1D4AC767h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 je 00007FCC1D4AC75Ch 0x00000018 or dword ptr [ebp+122D1B32h], ebx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FCC1D4AC758h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f jmp 00007FCC1D4AC75Ah 0x00000044 mov edi, dword ptr [ebp+122D394Eh] 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 jmp 00007FCC1D4AC764h 0x00000056 mov eax, dword ptr [ebp+122D13E9h] 0x0000005c movzx edi, bx 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push ebp 0x00000064 call 00007FCC1D4AC758h 0x00000069 pop ebp 0x0000006a mov dword ptr [esp+04h], ebp 0x0000006e add dword ptr [esp+04h], 00000016h 0x00000076 inc ebp 0x00000077 push ebp 0x00000078 ret 0x00000079 pop ebp 0x0000007a ret 0x0000007b mov ebx, 229C56CCh 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 pushad 0x00000085 popad 0x00000086 pop eax 0x00000087 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1068F32 second address: 1068F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F3D second address: 1066F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FCC1D4AC75Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DBC second address: 1069DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FCC1D4AF188h 0x00000012 jmp 00007FCC1D4AF182h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F67 second address: 1066F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DF0 second address: 1069DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD6C second address: 106BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B04F second address: 106B053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD70 second address: 106BDC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D1A1Fh], ebx 0x00000014 push 00000000h 0x00000016 movzx edi, di 0x00000019 push 00000000h 0x0000001b mov edi, ecx 0x0000001d xchg eax, esi 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FCC1D4AC765h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B053 second address: 106B059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BDC0 second address: 106BDC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B059 second address: 106B05E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106E776 second address: 106E77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106CF28 second address: 106CF2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101B162 second address: 101B167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758C6 second address: 10758CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758CA second address: 10758D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D0 second address: 10758D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D5 second address: 10758E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnp 00007FCC1D4AC756h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD8E second address: 107FD94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD94 second address: 107FD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9A second address: 107FD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9E second address: 107FDAD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FF07 second address: 107FF17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AF17Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10801C7 second address: 10801E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FCC1D4AC756h 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007FCC1D4AC756h 0x00000015 popad 0x00000016 push ecx 0x00000017 ja 00007FCC1D4AC756h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108062B second address: 1080638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10807C4 second address: 10807F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 jmp 00007FCC1D4AC765h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108092E second address: 1080932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080932 second address: 108093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108093B second address: 108095C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 pop esi 0x0000000a jno 00007FCC1D4AF17Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108095C second address: 1080960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080960 second address: 1080986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FCC1D4AF196h 0x0000000d pushad 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10850A6 second address: 10850AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10851FD second address: 1085203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085203 second address: 108520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108520C second address: 1085212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108536D second address: 1085382 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCC1D4AC75Fh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856CF second address: 10856DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856DB second address: 10856E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856E3 second address: 10856EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856EB second address: 10856F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856F5 second address: 10856FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DC9 second address: 1084DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DCD second address: 1084DDC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085B38 second address: 1085B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C7B second address: 1085C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF182h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C96 second address: 1085CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CA5 second address: 1085CB6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AF178h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CB6 second address: 1085CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BDC1 second address: 108BDE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A859 second address: 108A864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A864 second address: 108A869 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB0 second address: 108ADB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB4 second address: 108ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADC3 second address: 108ADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B088 second address: 108B08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B08C second address: 108B092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B092 second address: 108B09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1F6 second address: 108B1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1FA second address: 108B208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FCC1D4AF176h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B208 second address: 108B226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f jmp 00007FCC1D4AC75Ah 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B226 second address: 108B236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38B second address: 108B38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38F second address: 108B399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B399 second address: 108B39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B39F second address: 108B3A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3A9 second address: 108B3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3AF second address: 108B3B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC48 second address: 108BC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007FCC1D4AC756h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC65 second address: 108BC6F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF17Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052171 second address: 1036DB3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e adc cx, 0CA7h 0x00000013 call dword ptr [ebp+122D2E90h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCC1D4AC75Fh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052383 second address: 1052393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FCC1D4AF178h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052393 second address: 1052399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105261D second address: 1052622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052622 second address: 1052628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052628 second address: 105262C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105262C second address: 1052630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052721 second address: 1052725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052725 second address: 105272B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105272B second address: 1052731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10527E2 second address: 105281A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FCC1D4AC769h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FCC1D4AC758h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105281A second address: 105287E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AF178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f jnl 00007FCC1D4AF180h 0x00000015 pop eax 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FCC1D4AF178h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jc 00007FCC1D4AF17Dh 0x00000037 jnp 00007FCC1D4AF177h 0x0000003d push FB3ACA71h 0x00000042 pushad 0x00000043 push esi 0x00000044 jns 00007FCC1D4AF176h 0x0000004a pop esi 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10529AE second address: 10529C3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052B0C second address: 1052B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052D65 second address: 1052D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105349B second address: 10534A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109289C second address: 10928D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCC1D4AC769h 0x0000000b jne 00007FCC1D4AC756h 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007FCC1D4AC75Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D0 second address: 10928D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D9 second address: 10928DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928DD second address: 10928E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928E8 second address: 10928F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928F3 second address: 1092911 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCC1D4AF183h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092BAF second address: 1092BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092CFF second address: 1092D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D07 second address: 1092D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1A second address: 1092D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1E second address: 1092D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1093046 second address: 109304B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1098993 second address: 109899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109899A second address: 10989AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10989AD second address: 10989B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109ACCA second address: 109ACD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109A9D3 second address: 109A9DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCCC second address: 109DCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCD0 second address: 109DCD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D720 second address: 109D72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FCC1D4AF176h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D72E second address: 109D732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D87F second address: 109D883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D883 second address: 109D8A3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A3 second address: 109D9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A9 second address: 109D9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9B4 second address: 109D9F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jns 00007FCC1D4AF176h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 ja 00007FCC1D4AF183h 0x00000019 jmp 00007FCC1D4AF17Dh 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007FCC1D4AF17Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F1 second address: 109D9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F8 second address: 109DA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DA01 second address: 109DA1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AC767h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160CF second address: 10160D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160D3 second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 js 00007FCC1D4AC756h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FCC1D4AC75Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A462A second address: 10A4636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4636 second address: 10A4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FCC1D4AC756h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160FC second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A493B second address: 10A494F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 je 00007FCC1D4AC756h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4AD2 second address: 10A4AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E16 second address: 10A4E1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E1C second address: 10A4E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E22 second address: 10A4E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E28 second address: 10A4E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052F57 second address: 1052F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A511E second address: 10A512E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A512E second address: 10A5134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A5134 second address: 10A514D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A514D second address: 10A5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACE4 second address: 10AACEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACEA second address: 10AACEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA593 second address: 10AA59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA840 second address: 10AA848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA848 second address: 10AA87C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b jns 00007FCC1D4AF176h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA87C second address: 10AA888 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA888 second address: 10AA88D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2D9 second address: 10AD2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2DD second address: 10AD2E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2E7 second address: 10AD2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2ED second address: 10AD2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2F1 second address: 10AD2FF instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD459 second address: 10AD47F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jl 00007FCC1D4AF176h 0x00000013 pop edx 0x00000014 pushad 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD47F second address: 10AD489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD489 second address: 10AD4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 je 00007FCC1D4AF176h 0x0000000f popad 0x00000010 jnl 00007FCC1D4AF17Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF239 second address: 10AF23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF23F second address: 10AF263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c jno 00007FCC1D4AF176h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnl 00007FCC1D4AF176h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0865 second address: 10B0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0869 second address: 10B0876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0876 second address: 10B087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6331 second address: 10B6341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jnc 00007FCC1D4AF176h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6B85 second address: 10B6BAD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC75Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FCC1D4AC75Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0686 second address: 10C068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AA8 second address: 10C0AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AAE second address: 10C0ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF187h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0D9B second address: 10C0DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA1 second address: 10C0DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA7 second address: 10C0DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0EFC second address: 10C0F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0F10 second address: 10C0F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C11A6 second address: 10C11AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8606 second address: 10C8612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8612 second address: 10C8618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8618 second address: 10C861E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C861E second address: 10C8624 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A6B second address: 10C8A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A71 second address: 10C8A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8E9D second address: 10C8EB3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC75Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FCC1D4AC756h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C901D second address: 10C9021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E99 second address: 10C9E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E9F second address: 10C9EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9EA5 second address: 10C9EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D3F second address: 10C7D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D45 second address: 10C7D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D49 second address: 10C7D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D4D second address: 10C7D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF307 second address: 10DF30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF30F second address: 10DF34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC763h 0x00000009 popad 0x0000000a jmp 00007FCC1D4AC762h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jne 00007FCC1D4AC756h 0x00000019 jno 00007FCC1D4AC756h 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEDB second address: 10DEEE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEE1 second address: 10DEF0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FCC1D4AC756h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCC1D4AC75Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Fh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEF0E second address: 10DEF2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A28 second address: 10E2A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A2C second address: 10E2A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E23ED second address: 10E2403 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FCC1D4AC75Ah 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10EFF9E second address: 10EFFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8114 second address: 10F8131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC769h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8131 second address: 10F8137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8594 second address: 10F8598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F885A second address: 10F88A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FCC1D4AF195h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a jp 00007FCC1D4AF17Eh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F88A3 second address: 10F88A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93A2 second address: 10F93BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF189h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93BF second address: 10F93C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA51 second address: 10FBA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA5B second address: 10FBA84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 jmp 00007FCC1D4AC764h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA84 second address: 10FBA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F724 second address: 111F736 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FCC1D4AC75Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F736 second address: 111F765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jbe 00007FCC1D4AF176h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FCC1D4AF176h 0x0000001c jmp 00007FCC1D4AF183h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F765 second address: 111F772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113558F second address: 113559A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113559A second address: 113559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113A0C9 second address: 113A0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FBB second address: 1138FE3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AC768h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FE3 second address: 1138FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113911E second address: 1139128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 11393CD second address: 11393D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139890 second address: 11398AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA0 second address: 1139CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA6 second address: 1139CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113B6FF second address: 113B708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E307 second address: 113E30D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3A6 second address: 113E3FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122DBB12h], ecx 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FCC1D4AF178h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e sub edx, dword ptr [ebp+122D2596h] 0x00000034 mov dx, cx 0x00000037 call 00007FCC1D4AF179h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push edi 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3FD second address: 113E407 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E407 second address: 113E443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007FCC1D4AF181h 0x00000011 pop esi 0x00000012 jc 00007FCC1D4AF178h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E443 second address: 113E447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E6E1 second address: 113E714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCC1D4AF180h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FCC1D4AF188h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E714 second address: 113E71E instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E71E second address: 113E74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D19CAh], esi 0x0000000d push dword ptr [ebp+122D1C7Eh] 0x00000013 mov dx, 35B3h 0x00000017 mov edx, dword ptr [ebp+124AAEE2h] 0x0000001d push E352FBC6h 0x00000022 jc 00007FCC1D4AF184h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E74A second address: 113E74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114182A second address: 1141831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114134B second address: 1141356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1141356 second address: 114135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114135A second address: 114137A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114137A second address: 114137F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D3B second address: 5120D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D41 second address: 5120D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D45 second address: 5120D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D5D second address: 5120D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D61 second address: 5120D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D71 second address: 5120D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D80 second address: 5120DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E4h 0x00000005 call 00007FCC1D4AC760h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 push eax 0x00000014 push edx 0x00000015 mov bh, 77h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120DA2 second address: 5120DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AF17Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110BC5 second address: 5110C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FCC1D4AC75Dh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push edi 0x00000012 mov ecx, 7E05BCAFh 0x00000017 pop eax 0x00000018 call 00007FCC1D4AC765h 0x0000001d pushfd 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 or esi, 3743B708h 0x00000029 jmp 00007FCC1D4AC75Bh 0x0000002e popfd 0x0000002f pop esi 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C27 second address: 5110C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C37 second address: 5110C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 and esi, 0D0BDB86h 0x0000001b jmp 00007FCC1D4AC761h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150971 second address: 5150975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150975 second address: 515097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515097B second address: 515098C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515098C second address: 5150990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150990 second address: 51509B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51509B3 second address: 51509B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0096 second address: 50F00AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00AE second address: 50F00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 call 00007FCC1D4AC768h 0x0000000a mov ecx, 4E9B3A81h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FCC1D4AC75Ch 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov al, D0h 0x0000001b movsx edx, cx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCC1D4AC761h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00FC second address: 50F0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0101 second address: 50F016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 2535A9E6h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+04h] 0x0000001c jmp 00007FCC1D4AC75Eh 0x00000021 push dword ptr [ebp+0Ch] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, di 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AC769h 0x00000030 jmp 00007FCC1D4AC75Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51105FB second address: 5110610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110610 second address: 5110630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Bh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110630 second address: 5110636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110636 second address: 511063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511063C second address: 5110640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110640 second address: 5110644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110521 second address: 5110538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110538 second address: 511054D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, 38B1h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov esi, 715767B3h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511054D second address: 511056F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FCC1D4AF182h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511056F second address: 5110573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110573 second address: 5110579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110579 second address: 511058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1C7CD301h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511058E second address: 5110592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110592 second address: 5110598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51102A0 second address: 5110334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AF187h 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FCC1D4AF17Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF182h 0x0000001e sbb cl, FFFFFF88h 0x00000021 jmp 00007FCC1D4AF17Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FCC1D4AF188h 0x0000002d or eax, 755E2AE8h 0x00000033 jmp 00007FCC1D4AF17Bh 0x00000038 popfd 0x00000039 popad 0x0000003a movzx ecx, dx 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FCC1D4AF17Eh 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508DF second address: 51508EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508EE second address: 51508F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130034 second address: 5130067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FCC1D4AC75Fh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCC1D4AC765h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130067 second address: 513006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513006D second address: 513008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC762h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513008C second address: 51300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007FCC1D4AF186h 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 jmp 00007FCC1D4AF180h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FCC1D4AF17Dh 0x00000024 and esi, 287FE656h 0x0000002a jmp 00007FCC1D4AF181h 0x0000002f popfd 0x00000030 mov cx, C3C7h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C47 second address: 5120C5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7D0Ah 0x00000007 movsx ebx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C5B second address: 5120C61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C61 second address: 5120C8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Ch 0x00000009 xor eax, 48CC8DF8h 0x0000000f jmp 00007FCC1D4AC75Bh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C8F second address: 5120C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C93 second address: 5120C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C97 second address: 5120C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C9D second address: 5120CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC764h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120CB5 second address: 5120CF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov esi, 764A511Bh 0x00000012 mov esi, 1032E3F7h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCC1D4AF189h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515000F second address: 515006D instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC767h 0x0000000c adc si, 57DEh 0x00000011 jmp 00007FCC1D4AC769h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FCC1D4AC75Eh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Eh 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515006D second address: 51500AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c jmp 00007FCC1D4AF185h 0x00000011 mov ecx, 614E1667h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCC1D4AF184h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500AE second address: 51500B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500B4 second address: 51500BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500BA second address: 51500C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500C9 second address: 51500CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500CF second address: 515012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AC766h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FCC1D4AC75Ch 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AC75Eh 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e mov eax, dword ptr [774365FCh] 0x00000023 jmp 00007FCC1D4AC75Ch 0x00000028 test eax, eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCC1D4AC75Ah 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515012F second address: 515013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515013E second address: 5150168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F70FF61h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150168 second address: 515016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515016E second address: 5150172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150172 second address: 5150176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150176 second address: 51501E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e mov bx, E116h 0x00000012 popad 0x00000013 xor eax, dword ptr [ebp+08h] 0x00000016 pushad 0x00000017 mov bl, al 0x00000019 jmp 00007FCC1D4AC765h 0x0000001e popad 0x0000001f and ecx, 1Fh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC763h 0x0000002b xor si, 22FEh 0x00000030 jmp 00007FCC1D4AC769h 0x00000035 popfd 0x00000036 push esi 0x00000037 pop edx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51501E1 second address: 5150232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 leave 0x00000011 jmp 00007FCC1D4AF180h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a mov esi, eax 0x0000001c lea eax, dword ptr [ebp-08h] 0x0000001f xor esi, dword ptr [00E94014h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 lea eax, dword ptr [ebp-10h] 0x0000002b push eax 0x0000002c call 00007FCC217ADC3Ch 0x00000031 push FFFFFFFEh 0x00000033 pushad 0x00000034 mov dh, ah 0x00000036 push edi 0x00000037 pop ebx 0x00000038 popad 0x00000039 pop eax 0x0000003a pushad 0x0000003b pushad 0x0000003c mov cx, 17FFh 0x00000040 push ecx 0x00000041 pop edx 0x00000042 popad 0x00000043 popad 0x00000044 ret 0x00000045 nop 0x00000046 push eax 0x00000047 call 00007FCC217ADC49h 0x0000004c mov edi, edi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150232 second address: 5150238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150238 second address: 5150257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, bl 0x0000000f mov bl, ah 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150257 second address: 515028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 or cx, 2B78h 0x0000000e jmp 00007FCC1D4AC75Bh 0x00000013 popfd 0x00000014 mov eax, 343EB2AFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop edi 0x00000022 movzx eax, dx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515028C second address: 5150302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AF182h 0x00000009 xor ecx, 57AD5508h 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FCC1D4AF182h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCC1D4AF17Dh 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AF180h 0x00000030 sub esi, 38C349C8h 0x00000036 jmp 00007FCC1D4AF17Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100074 second address: 5100079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100079 second address: 51000BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ecx 0x0000000f jmp 00007FCC1D4AF17Eh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 mov dx, 1EC0h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AF185h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000BD second address: 51000E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCC1D4AC75Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E2 second address: 51000E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E9 second address: 5100153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e push edx 0x0000000f mov ebx, esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push ebp 0x00000014 jmp 00007FCC1D4AC766h 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 jmp 00007FCC1D4AC764h 0x00000028 xchg eax, edi 0x00000029 jmp 00007FCC1D4AC760h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCC1D4AC75Eh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100153 second address: 5100159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100159 second address: 510015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510015D second address: 51001A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FCC1D4AF17Eh 0x00000011 test esi, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AF17Dh 0x0000001b call 00007FCC1D4AF180h 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A3 second address: 51001A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A9 second address: 51001AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001AD second address: 51001CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FCC8F75ABAEh 0x00000011 pushad 0x00000012 mov di, cx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001CB second address: 510021B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e jmp 00007FCC1D4AF180h 0x00000013 je 00007FCC8F75D5B8h 0x00000019 pushad 0x0000001a mov esi, 7CEC20DDh 0x0000001f mov ecx, 018EEDD9h 0x00000024 popad 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 jmp 00007FCC1D4AF184h 0x0000002d or edx, dword ptr [ebp+0Ch] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510021B second address: 5100238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100238 second address: 5100259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100259 second address: 510025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510025D second address: 5100270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100270 second address: 510029F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ADCAh 0x00000007 jmp 00007FCC1D4AC75Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FCC8F75AB59h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AC760h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510029F second address: 51002AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0819 second address: 50F081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F081D second address: 50F0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0821 second address: 50F0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0827 second address: 50F082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F082D second address: 50F0858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007FCC1D4AC75Eh 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0858 second address: 50F085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F085C second address: 50F0862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0862 second address: 50F0868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0868 second address: 50F086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F086C second address: 50F089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCC1D4AF17Eh 0x00000012 and ax, 7058h 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c popfd 0x0000001d mov di, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F089C second address: 50F08A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F08A2 second address: 50F08A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09D0 second address: 50F09F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 je 00007FCC8F7620FCh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, eax 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09F3 second address: 50F0A34 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, dl 0x00000008 popad 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FCC1D4AF186h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AF187h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0A34 second address: 50F0AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F7620A8h 0x0000000f pushad 0x00000010 call 00007FCC1D4AC75Ch 0x00000015 pushfd 0x00000016 jmp 00007FCC1D4AC762h 0x0000001b add ah, 00000068h 0x0000001e jmp 00007FCC1D4AC75Bh 0x00000023 popfd 0x00000024 pop esi 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC769h 0x0000002b or ax, C886h 0x00000030 jmp 00007FCC1D4AC761h 0x00000035 popfd 0x00000036 popad 0x00000037 test byte ptr [77436968h], 00000002h 0x0000003e jmp 00007FCC1D4AC75Eh 0x00000043 jne 00007FCC8F76203Eh 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AC767h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AED second address: 50F0AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF3 second address: 50F0AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF7 second address: 50F0B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov ax, 771Bh 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF17Fh 0x0000001e and al, 0000007Eh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 mov cx, BCC7h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B47 second address: 50F0B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B4D second address: 50F0BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 mov cx, AD6Dh 0x00000019 movzx ecx, bx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FCC1D4AF184h 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FCC1D4AF180h 0x00000029 push dword ptr [ebp+14h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BB4 second address: 50F0BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BD1 second address: 50F0BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BE1 second address: 50F0BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BFB second address: 50F0C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C2B second address: 50F0C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C31 second address: 50F0C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF17Ch 0x00000013 sub ax, EE18h 0x00000018 jmp 00007FCC1D4AF17Bh 0x0000001d popfd 0x0000001e call 00007FCC1D4AF188h 0x00000023 mov bx, si 0x00000026 pop eax 0x00000027 popad 0x00000028 mov esp, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FCC1D4AF188h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C9D second address: 50F0CA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0CA6 second address: 50F0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bh, al 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF187h 0x00000013 sbb ax, CA4Eh 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056522 second address: 105652C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056713 second address: 1056717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056717 second address: 1056758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FCC1D4AC763h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FCC1D4AC768h 0x00000019 jp 00007FCC1D4AC756h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BCA second address: 5100BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD0 second address: 5100BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD4 second address: 5100C2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov cx, B749h 0x0000000f call 00007FCC1D4AF186h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c add ax, 35AEh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C2E second address: 5100C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C32 second address: 5100C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C38 second address: 5100C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC75Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCC1D4AC767h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510085A second address: 5100874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 jmp 00007FCC1D4AF17Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100874 second address: 51008A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC768h 0x00000009 popad 0x0000000a mov ch, 52h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FCC1D4AC75Ch 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008A7 second address: 51008AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008AE second address: 51008E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov si, 0593h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FCC1D4AC766h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007FCC1D4AC75Dh 0x0000001d pop ecx 0x0000001e mov ecx, edx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008E8 second address: 51008EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008EE second address: 51008F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 518071B second address: 5180720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5180720 second address: 518075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC765h 0x0000000c xor si, B746h 0x00000011 jmp 00007FCC1D4AC761h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov di, 55CEh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708EF second address: 51708F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F3 second address: 51708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F9 second address: 51708FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708FF second address: 5170903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170903 second address: 5170907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170907 second address: 5170917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, dx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170917 second address: 517092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF17Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 517092C second address: 517093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170844 second address: 5170849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170849 second address: 51708A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 0C1DA566h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FCC1D4AC75Ch 0x00000022 sbb ax, 1D08h 0x00000027 jmp 00007FCC1D4AC75Bh 0x0000002c popfd 0x0000002d mov ax, C77Fh 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A3 second address: 51708A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A7 second address: 51708AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708AD second address: 51708B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708B3 second address: 51708B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170AEC second address: 5170B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AF17Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Ch 0x00000019 sub ah, 00000068h 0x0000001c jmp 00007FCC1D4AF17Bh 0x00000021 popfd 0x00000022 jmp 00007FCC1D4AF188h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B51 second address: 5170B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC766h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ebx, eax 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, di 0x00000022 call 00007FCC1D4AC763h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B9F second address: 5170BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BA5 second address: 5170BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f push esi 0x00000010 mov si, dx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push 8C89E878h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD0 second address: 5170BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD4 second address: 5170BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BDA second address: 5170C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 7377178Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Dh 0x00000019 adc ch, 00000066h 0x0000001c jmp 00007FCC1D4AF181h 0x00000021 popfd 0x00000022 mov ah, DEh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170C5D second address: 5170CA4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCC1D4AC75Ah 0x00000008 adc al, FFFFFF98h 0x0000000b jmp 00007FCC1D4AC75Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 movzx eax, al 0x00000017 jmp 00007FCC1D4AC766h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Ah 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170CA4 second address: 5170CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F47A second address: 13F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F495 second address: 13F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C050F second address: 2C052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C052C second address: 2C0539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C0539 second address: 2C053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C053E second address: 2C054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C054C second address: 2C055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF56D second address: 2BF5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF9E7 second address: 2BFA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA00 second address: 2BFA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA0A second address: 2BFA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA23 second address: 2BFA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFBBC second address: 2BFBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AA second address: 2C32AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AE second address: 2C32F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32F9 second address: 2C3308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3308 second address: 2C330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C330D second address: 2C336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C336D second address: 2C3392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3392 second address: 2C3398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3398 second address: 2C33BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C33BC second address: 2C3410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3410 second address: 2C3416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3416 second address: 2C341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C341B second address: 2C342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C345F second address: 2C34B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 106E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 10D7A29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 30E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 377A29 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246C2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246DA5F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 6F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 7F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 94C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 77C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Window / User API: threadDelayed 2948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 991
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 919
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 977
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1034
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1096
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 852
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1059
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1092
Source: C:\Users\user\1000021002\2c9ff67496.exe	Window / User API: threadDelayed 773
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 4297
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Window / User API: threadDelayed 4143
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 637
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 732

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep count: 2948 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -88440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2132	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6324	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 2524	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep count: 991 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep time: -1982991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep count: 919 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep time: -1838919s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep count: 977 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep time: -1954977s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 884	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep count: 1034 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep time: -2069034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep count: 1096 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep time: -2193096s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7280	Thread sleep time: -2160000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep count: 852 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep time: -1704852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep count: 1059 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep time: -2119059s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep count: 1092 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep time: -2185092s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 76 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 55 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 66 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 67 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 58 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7812	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep count: 4297 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep time: -4297000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -45000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 104 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 77 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe TID: 644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7576	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 110 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 52 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep count: 42 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7532	Thread sleep count: 732 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599665s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8052	Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595943s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595032s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -594407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -591585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -589150s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588679s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588206s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -583315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582569s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582066s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -581187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -580173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -573283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -564345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -560846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -559627s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -557424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -556814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555877s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -554471s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -552846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549303s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -548722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -547329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -546045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -544408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -541751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -539658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -537392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -536564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -534126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -529236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528759s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525330s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522376s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -520814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519788s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518368s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517705s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -513595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -512142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -505908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -504439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -502548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501267s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499158s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -498727s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -496595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495001s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -494455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -489670s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488720s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -487908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -486642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -484626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -482439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -480626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -478642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -477908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -476298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -474501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -472848s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -470533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -469017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -468283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -466986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -463876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -462830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -458970s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449411s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447811s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MPGPH131.exe, 00000014.00000003.2820152073.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2820638469.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819486328.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127253259.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819877346.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADM
Source: MPGPH131.exe, 00000013.00000003.2843661605.0000000006035000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUuj
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2*
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nteractive Brokers - HKVMware20,11696487552]
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8i
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\9ac011e0-5a83-469e-a698-55282c006efc.tmp
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ks
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: netsh.exe, 0000001B.00000003.2305479100.0000022A9AC75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A9uNEl
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A I
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nara Change Transaction PasswordVMware20,11696487552^
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@]m
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 00000014.00000003.2290450601.0000000001447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: aea7caadbf.exe, 00000021.00000003.2806627544.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02Ohsoxy
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\5567ef92-dbe9-4ad2-9045-8f930e3d7ed6.tmp
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: explorta.exe, 0000002C.00000002.2755047302.0000000001868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__q
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0m
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: jok.exe, 00000020.00000002.4626441113.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: aea7caadbf.exe, 00000007.00000003.2846166620.00000000058AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000al\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsL,
Source: MPGPH131.exe, 00000013.00000003.2844575612.000000000602B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-1028231-15-52,P-X-1087217-10-23,P-X-1110552-2-3,P-X-1108288-1-7,P-X-1100779-2-7,P-X-1092122-2-9,P-X-1096650-2-6,P-X-1105131-2-6,P-X-1097232-7-13,P-X-1104872-1-9,P-X-1103964-2-3,P-X-1099080-1-9,P-X-1089758-2-11,P-X-1102990-2-3,P-X-1102008-2-7,P-X-1063575-3-11,P-X-1102153-2-4,P-X-1071006-1-5,P-X-1100769-1-3,P-X-1099659-1-3,P-X-1095668-2-7,P-X-1097226-1-5,P-X-1083898-4-17,P-X-1095524-1-3,P-X-1063514-2-6,P-X-1094047-1-6,P-X-1092821-2-3,P-X-1092738-2-3,P-X-1092158-1-3,P-X-1068889-5-13,P-X-1086546-21-84,P-X-1091091-2-4,P-X-1089774-2-7,P-X-1089256-2-5,P-X-1089119-2-6,P-X-1013679-2-5,P-X-1087661-2-6,P-X-1085156-1-3,P-X-1082985-5-11,P-X-1082074-3-7,P-X-1047521-4-21,P-X-1080712-1-5,P-X-1079473-2-6,P-X-1048662-1-13,P-X-1077532-1-5,P-X-1077147-1-9,P-X-1056699-36-118,P-X-1067018-2-4,P-X-1043380-1-18,P-X-1071593-2-4,P-X-1070560-4-8,P-X-1070133-1-6,P-X-1070026-3-7,P-X-1056537-1-9,P-X-1067718-1-3,P-X-1066229-1-7,P-X-1050101-1-9,P-X-1061902-3-17,P-X-1053062-1-5,P-X-1058142-1-7,P-X-1059966-1-9,P-X-1052772-23-44,P-X-1043219-25-50,P-X-1054089-1-3,P-X-1052254-4-10,P-X-1021723-3-16,P-X-1048870-3-8,P-X-1048071-1-5,P-X-1047513-1-5,P-X-1026324-3-20,P-X-1010579-1-9,P-X-1008556-23-99,P-X-1037615-1-7,P-X-1006190-9-15,P-X-1036081-1-3,P-X-1027402-7-15,P-X-1020537-2-6,P-X-1012411-2-9,P-X-100876-37-228,P-X-117040-1-5,P-X-113035-2-9,P-X-97954-9-89,P-X-91270-7-51,P-R-1089873-14-4,P-R-1080087-6-13,P-R-1075857-18-21,P-R-1068861-4-10,P-R-1047495-8-15,P-R-1044077-26-18,P-R-1008497-12-13,P-R-87486-2-16,P-R-86300-4-56,P-R-83096-12-34,P-R-67067-6-47,gb1ee141:447804,3j0gg466:431877,resetbing:447060,c1i80862:426410,wponsat2_50:441048,jj2e6986:422781,995h3546:443806,9djb2419:437170,bfcg7827:432826,t9qranimationemailautofill:439591,70030996:441561,ebd3g171:445684,tp-long:439700,b01ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,bingchatqueries_5_impression_with_redirect_urls:403574,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h1eh131:441212,e92c6808:416905,10ad8400:434605,9d4ca945:415901,identifydb:415105,walletpswlinkupdate:438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254cf:256436,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2822300520.0000000005A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}collectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491","EdgeConfig":"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,P-R-110491-23-70,P-R-68474-9-12,P-R-61206-14-17,P-R-61153-10-15,P-R-45373-8-85,P-R-46265-41-100","EdgeDomainActions":"P-R-1093245-1-12,P-R-1037936-1-9,P-R-1024693-1-9,P-R-108604-1-34,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-463,P-D-1138318-1-3,P-D-98331-6-31","EdgeFirstRun":"P-R-1103650-18-8,P-R-1021718-2-31,P-R-116827-1-15","EdgeFirstRunConfig":"P-R-1075865-1-7","Segmentation":"P-R-1113915-25-8,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-1-3,P-R-42744-1-2"}96-12-34,P
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp, explorta.exe, 00000002.00000002.4589350907.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.000000000108B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVCh
Source: RageMP131.exe, 00000030.00000003.2463397355.0000000001092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Microsoft\Windows\Explorer\thumbcache_256.db{
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENTy
Source: aea7caadbf.exe, 00000007.00000003.2842683229.00000000059F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8Aec
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsu
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&1
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552\| UE
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdY
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Google\Chrome\User Data\Default\Visited Links
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: jok.exe, 00000020.00000002.4971718774.00000000061F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4106241586.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log}'"*
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mL
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.logxh
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0100628E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01005D0B mov eax, dword ptr fs:[00000030h]	2_2_01005D0B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01009A72 mov eax, dword ptr fs:[00000030h]	2_2_01009A72
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00226D00 mov eax, dword ptr fs:[00000030h]	7_2_00226D00
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 mov eax, dword ptr fs:[00000030h]	7_2_001F3EC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_002499F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

7_2_002499F0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FEC9CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00FEC9CC
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0100628E
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0019451D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00198A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00198A64

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: swiy[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.CreateRemoteThread(uint.MaxValue, 0u, 0u, ref Eugene.SuperBook[num], RemoteObjects.userBuffer, 0, ref WPA)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6A70 std::_Xinvalid_argument,GetModuleFileNameA,CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

2_2_00FD6A70

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: boredimperissvieos.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: holicisticscrarws.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: sweetsquarediaslw.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: plaintediousidowsko.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: miniaturefinerninewjs.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: zippyfinickysofwps.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: obsceneclassyjuwks.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: acceptabledcooeprs.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FC5008
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1133008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AF9008
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 457000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11CF008

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6E30 ShellExecuteA,Sleep,Sleep,__Init_thread_footer,CreateThread,Sleep,

2_2_00FD6E30

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 2c9ff67496.exe.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FECBC7 cpuid

2_2_00FECBC7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001AB1B1
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B31CA
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_001B32F3
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B33F9
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B34CF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001AB734
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_001B2B5A
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B2D5F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E06
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E51
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2EEC
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B2F77

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\MXPXCVPDVN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\UOOJJOZIRH.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\VAMYDFPUND.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100ABF2 GetSystemTimeAsFileTime,

2_2_0100ABF2

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6160 GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

2_2_00FD6160

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.amert.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.7ffd84eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fjL0EcgV6Y.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2426954025.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2083851627.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2102606370.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4574731193.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2407964114.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4573587455.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4578583730.000000006BE61000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2238783489.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239011126.0000000000E31000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2064758030.0000000003380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2245209175.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2177043340.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2084843739.0000000001DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2285975252.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2091875914.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aea7caadbf.exe, 00000007.00000002.3093234156.000000000110F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco,>
Source: RegAsm.exe, 00000019.00000002.2402362277.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletA%appdata%\Exodus\exodus.walletAkeystoreD
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\mUrODvZDsuNRBdTcXkdXtpnWOFAIBXFrVuRmIBrAF\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000020001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\1000021002\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\ProgramData\MPGPH131\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000066001\.purple\accounts.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3139553145.000000000654A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
49.13.229.86	unknown	Germany	24940	HETZNER-ASDE	true
172.67.193.220	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.111.84	unknown	United States	15169	GOOGLEUS	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.67.148.231	unknown	United States	13335	CLOUDFLARENETUS	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
193.233.132.56	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.21.60.76	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.67	unknown	United States	15169	GOOGLEUS	false
142.250.64.78	unknown	United States	15169	GOOGLEUS	false
142.251.40.131	unknown	United States	15169	GOOGLEUS	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.3	unknown	United States	15169	GOOGLEUS	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.67.211	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.165.132	unknown	United States	15169	GOOGLEUS	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
77.221.151.47	unknown	Russian Federation	30968	INFOBOX-ASInfoboxruAutonomousSystemRU	false
177.129.90.106	unknown	Brazil	262394	Internet58Ltda-MEBR	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.65.174	unknown	United States	15169	GOOGLEUS	false
147.45.47.126	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
142.251.40.238	unknown	United States	15169	GOOGLEUS	false
104.21.18.166	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.75.166	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.10	unknown	United States	15169	GOOGLEUS	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	false
142.251.40.100	unknown	United States	15169	GOOGLEUS	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
187.204.4.219	unknown	Mexico	8151	UninetSAdeCVMX	false
142.251.41.3	unknown	United States	15169	GOOGLEUS	false
104.21.76.57	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.182.192	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.6

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
pillowbrocccolipe.shop	true
worryfillvolcawoi.shop	true
diskretainvigorousiw.shop	true
http://49.13.229.86/c73eed764cc59dcb.php	true
enthusiasimtitleow.shop	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fjL0EcgV6Y.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe

Avira: detection malicious, Label: TR/AutoIt.mzmcv

Found malware configuration

Source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://49.13.229.86/c73eed764cc59dcb.php"}
Source: 32.0.jok.exe.490000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}
Source: 31.2.rundll32.exe.6be60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
Source: RegAsm.exe.7772.25.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop"], "Build id": "LGNDR1--ketamine"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fjL0EcgV6Y.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: @@@@@@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ">>""&&VWXY
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .226622>>22lmnopq((\]^_`abcdefghijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: V/yVs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Vs\*.
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 1_to7ens]
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ,ass+ordjAss}ord
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 6=@@J@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: KLM0OPQ-'!#!/!#{\|}
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: }r4BO
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: !rie
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tGR>lk`5
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ReleaseDC
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Fgph@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: E7Q)y
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: login:
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: 193.233.132.56
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: /Pneh2sXQk0/index.php

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00226A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

7_2_00226A80

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Uses 32bit PE files

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://49.13.229.86/c73eed764cc59dcb.php
Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	IPs: 193.233.132.56
Source: Malware configuration extractor	URLs: 185.215.113.67:26260

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: la4RG5LhUShae5ag2mFmRdea.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: UyBcuun7lvdsc1U8v04bEvjS.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: I4LhcLo5s9gVJdPowLL5oSzp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C719B9p0FfrJspWW8NACmoaE.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: MCN1KYKWa3qY8Q8lKV2maDTO.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: bfSaxNj6PaRbQoH1x6AgorQM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: XmniUOpJt9KGe1pM4XamnqZH.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: J8btV6htPGHeL2Yg1SgCaGFn.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: 3bpaooYORdL1zGgZZfaU6raM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: M7rZI00dvqcykJFiBeuGFS7T.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: zhcyBjWDtf9NR8VTfZLAmUWa.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: GJ9O0qofKCDUPenZCkorX2YL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: iftEMaYodvzM2QCJfFMzhqiG.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: lIBiF8F27nqVHoA6YIdbqFcI.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: yqUOk3nzvlJdWid9vqJoE5bL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TPSAPLN3OIImBCuzU9uj0qm5.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: NE6WkYn9fBQoC9a4gd2yFZXX.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: x6geX33yrj2DQ3LHzZRqUqDy.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 51.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2698740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2695d00.0.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FDB670 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

2_2_00FDB670

Source: 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: K https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQyCImb_9cRDrKcUUsrjjBJhwC0Hyy9a0pW5vmMGs8rXmt9Y8EEn3tZ63u-DOF1VvxYXGAK-aw equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&h equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQxq7WLN6IjqvXj3bSYD7y0Ga0eg2SR6TZWYx2Ejint8ILvQao0P-v2i4jfUB13lX2_DKtde7g&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-485649803%3A1715106767804271&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000003.2527725830.0000000003853000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account\| equals www.youtube.com (Youtube)

Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeata
Source: MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe~b
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/00021002
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/405117-2476756634-1003
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/B4-6C85480369C7
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/e01b58d87e8e6fbbace30804042ba5ce902415450#
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php6.exe:Zone.Identifier
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpRp8UCqAMTqfIMjU07d3NR=a5c
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpUsers
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcoded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded:
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpeE
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpt
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpu
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/ws
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exetw2
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/5=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/OneDrive
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/ta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Data
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php#
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D6AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php$
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php00088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php4p
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8w
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpUsers
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpd
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpdedE
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpe
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phph
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpm
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phppData
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpyu8
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe0.1
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe963
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exeeam
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exeoin
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeater
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/random.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe/z=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exep
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe~r
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/jok.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exeIHZ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exe~HQ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exejr
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/amert.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/random.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/wB.exe
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/3.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/73eed764cc59dcb.phpI
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dllUG
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dllcD
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll_
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dlll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllv
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/softokn3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll=D
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dllXN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.0000000021965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php4b
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpData
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpbe85b06b74ee94f19768b5dcb524670
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phplKK
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phponCash
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.221.151.47/install.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.phpt-
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9K
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000029.00000002.3525660003.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000140F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api4
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiP
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/h
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/v
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: jok.exe, 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/.
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102=Eg
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102O
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102P
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102V
Source: MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102_
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102y.co.ukd
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102hcon
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com/980979aa037665b1a96df3348db08dc0/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL&f
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001061000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/#N
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000109A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/RE
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ocal
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000107B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.1020
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102q
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102A
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/980979aa037665b1a96df3348db08dc0/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comH
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHdk
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHvu
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4c
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeW
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp, FBI40obsDIWEYEPEV328oLc.zip.33.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT?b
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTPROCESSOR_LEVEL=6PROCES
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTh
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTl
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTrJ
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789324736.000000000110F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2821833886.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2794468417.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot07
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botK
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlaterL;
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botr
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/chrome.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2526350598.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2627476418.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3903887566.0000000003876000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2686000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4104870630.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/R
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/api
Source: RegAsm.exe, 0000002F.00000002.2455143104.00000000014D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop:443/apilike

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00245F70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,702B74A0,DeleteObject,DeleteObject,ReleaseDC,

7_2_00245F70

Installs a raw input device (often for capturing keystrokes)

Source: 2c9ff67496.exe, 0000000B.00000003.3919375581.000000000385A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA

memstr_e2132641-c

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3C7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3E7.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe entropy: 7.99595937804	Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: swiiiii[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiy[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiy.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

Binary is likely a compiled AutoIt script file

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ec53eccc-a
Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_167667d0-9
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2559f638-2
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d1123c48-6

PE file contains section with special chars

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Windows\Tasks\explorta.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Windows\Tasks\explorha.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012918	2_2_01012918
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0101703B	2_2_0101703B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012480	2_2_01012480
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01016F1B	2_2_01016F1B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01018380	2_2_01018380
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_010167C9	2_2_010167C9
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01007633	2_2_01007633
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0104D250	2_2_0104D250
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A002D	7_2_001A002D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FF050	7_2_001FF050
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0020A180	7_2_0020A180
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F6330	7_2_001F6330
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FD320	7_2_001FD320
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023E3B0	7_2_0023E3B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F03C0	7_2_001F03C0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0029F480	7_2_0029F480
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00237580	7_2_00237580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F8630	7_2_001F8630
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0016B8E0	7_2_0016B8E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E1B90	7_2_001E1B90
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0025AC30	7_2_0025AC30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FAEE0	7_2_001FAEE0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023EFB0	7_2_0023EFB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3000	7_2_001F3000
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001971A0	7_2_001971A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002042A0	7_2_002042A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A036F	7_2_001A036F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E4560	7_2_001E4560
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0018F580	7_2_0018F580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00203590	7_2_00203590
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A85F0	7_2_002A85F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A7690	7_2_002A7690
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00247760	7_2_00247760
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B47BF	7_2_001B47BF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019A928	7_2_0019A928
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019C960	7_2_0019C960
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001ADA86	7_2_001ADA86
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024FBA0	7_2_0024FBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024EBA0	7_2_0024EBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8BB0	7_2_001B8BB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00294C70	7_2_00294C70
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A6C50	7_2_002A6C50
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A5D10	7_2_002A5D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A1E30	7_2_002A1E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8E30	7_2_001B8E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00252F30	7_2_00252F30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FFFFF	7_2_001FFFFF

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: String function: 0017ACE0 appears 86 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872

PE file contains more sections than normal

Source: aea7caadbf.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: random[1].exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: MPGPH131.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: explorta.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: fjL0EcgV6Y.exe	Static PE information: Number of sections : 12 > 10
Source: RageMP131.exe.7.dr	Static PE information: Number of sections : 12 > 10

PE file does not import any functions

Source: file300un[1].exe.8.dr

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: swiiiii[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 1.00537109375
Source: fjL0EcgV6Y.exe	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: fjL0EcgV6Y.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: explorta.exe.0.dr	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: explorta.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: amert[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert[1].exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: amert.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert.exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: random[1].exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: aea7caadbf.exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorha.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: explorha.exe.6.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: RageMP131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: MPGPH131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@384/420@0/43

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:500:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Users\user\AppData\Local\Temp\5454e6f062

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aea7caadbf.exe, 00000007.00000003.2763923547.00000000058B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2760437173.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2756730026.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2829759297.00000000058A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2781020740.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2784972575.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2771103050.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2774016505.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4575050800.000002161D618000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Source: amert.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fjL0EcgV6Y.exe "C:\Users\user\Desktop\fjL0EcgV6Y.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wsock32.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: version.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wininet.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: slc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: fjL0EcgV6Y.exe

Static file information: File size 1804304 > 1048576

Source: fjL0EcgV6Y.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x187c00

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Unpacked PE file: 6.2.amert.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 8.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 9.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;

Binary contains a suspicious time stamp

Source: jok[1].exe.8.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains an invalid checksum

Source: explorha.exe.6.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: amert[1].exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: NewB.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: NewB[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: alexxxxxxxx.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: cred64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: cred64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: jok[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: swiiiii.exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: sarra[1].exe.2.dr	Static PE information: real checksum: 0x25c164 should be: 0x25b84a
Source: clip64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: install[1].exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: clip64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: amert.exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: jok.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: install.exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: swiiiii[1].exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

PE file contains sections with non-standard names

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name: .vm_sec
Source: fjL0EcgV6Y.exe	Static PE information: section name: .themida
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name: .vm_sec
Source: explorta.exe.0.dr	Static PE information: section name: .themida
Source: explorta.exe.0.dr	Static PE information: section name: .boot
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa
Source: sarra[1].exe.2.dr	Static PE information: section name: qliweygd
Source: sarra[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert[1].exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert.exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert.exe.2.dr	Static PE information: section name: .taggant
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .vm_sec
Source: random[1].exe.2.dr	Static PE information: section name: .themida
Source: random[1].exe.2.dr	Static PE information: section name: .boot
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .vm_sec
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .themida
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx
Source: explorha.exe.6.dr	Static PE information: section name: ouenqhoa
Source: explorha.exe.6.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name: .vm_sec
Source: RageMP131.exe.7.dr	Static PE information: section name: .themida
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name: .vm_sec
Source: MPGPH131.exe.7.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: section name: .00cfg
Source: alexxxxxxxx.exe.8.dr	Static PE information: section name: .00cfg
Source: cred64[1].dll.8.dr	Static PE information: section name: _RDATA
Source: cred64.dll.8.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FED10C push ecx; ret	2_2_00FED11F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push ebp; mov dword ptr [esp], edx	7_2_005E1C33
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 7ACA4E51h; mov dword ptr [esp], ecx	7_2_005E1D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 3065C6BDh; mov dword ptr [esp], esp	7_2_005E1D18
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00193F59 push ecx; ret	7_2_00193F6C

Source: fjL0EcgV6Y.exe	Static PE information: section name: entropy: 7.9986498410293665
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot entropy: 7.956255917420769
Source: explorta.exe.0.dr	Static PE information: section name: entropy: 7.9986498410293665
Source: explorta.exe.0.dr	Static PE information: section name: .boot entropy: 7.956255917420769
Source: sarra[1].exe.2.dr	Static PE information: section name: entropy: 7.924648547837475
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa entropy: 7.9321971040715535
Source: amert[1].exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: amert.exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: random[1].exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: aea7caadbf.exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: explorha.exe.6.dr	Static PE information: section name: entropy: 7.984896223453351
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: RageMP131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: MPGPH131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: swiiiii[1].exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiy[1].exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696
Source: swiy.exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\1000021002\2c9ff67496.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amert[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiy[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat

Creates job files (autostart)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Windows\Tasks\explorta.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGxF8QiZwcaGkQdKkNxhjtKC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DaF2Olxq73DrcM5XABIaSDSs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0AhsRiT9HXP8nUVjVsC7lnJ0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gJg50l6myURZCwtjufWOVpuQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r2YWMyz1YP2FRpENqKhaRZyt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QdpodRlWnGVsi1g0pQlfyjkP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cybr2MFwU04XAQwxPolKMqQO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z40K3kSz8nbFzfavMmb2eQ1n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ud84rpY6iPONwnxDRebDCuje.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDPvMcSCVReoFfNwWf9VtsJX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riJi6LbnhEUeeWoDdafUeGUh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cx4e8RO84usGaXQVOUIGUHN7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMtjKcNXah8bWY1GB43Z2Nvo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twq4PH3MymMUgP37K2gZssJh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNNHEyhgRrOs4sf0Abdt3Wtz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dpHGv1tNgh6UmtLh4Mqkjgjv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hSCCnQw7GVDGmVOXtfvP2hU8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jUWcmuyDRAqLaCBd9Dir7NUA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZR34XbNproylHK1OhCoumicm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFmSJTQNwHQpsEsQ8FhGjVhf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCGrdnJ1qQVZI63zkxF23uXt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iL5NcfykjvYjelixOHPRaZHt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6FszJF4Jwp3QxyxLpDvQzAl2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dx9XlsFGiH3rpffDOMJTlVCT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GVdArWrvqFumsoLu9aCMU9n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L27QyUwBuL8LDeoeiTYngDXN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zf4TbZ9xgzGXCn5nRSi3ASnS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHfwD6qh2lBvC75Opce7fium.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jk5Ed8sbV1MdGoz8FX4N9Hp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdAu1py9oGqttgGdYGDbSYEP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGCuCvTDug6xrGNCcg8Zzr4Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87Myp1xPYg474LfEvPhin1sM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ok8j6Gi15r9nn69GkEMiN0f.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvTF5Stn8q8opEUq3BUf9Rv0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLSA4x4asjbGy8gzHU30TYG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WNOBUZbm9yxe1iRKWoynoUIy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vo4ffLpBFZ5sdbnp27l8y074.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kPJfV3ZQezcsvjAhmetWY8Y8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xP7yTfvHKKcmGH9LL4Y0EV5l.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCcYLhQDhaKCD8C2TL308Ccy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4HuOT9Y3iOProWVE46tkp5iF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qIV5IkUFJT6RzFUeYYNriiUV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hPV8AWYTryNpE1mC5rBtXit0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\liIn7TjvcDqHfsnz7CkJCEKM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYOpd6e3YCsTXY2lWZg8CTug.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WDgC9U0r7503UsfGkF2RRn3x.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiaMMQARpLPsDSLsvQ9qjDcs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tF8eEwyMMvkaTDsee1xL3HLS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdSL4NdEKZVGIWPsxIYWdkjz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brLaHNHGLFYzGG6LomG1B4Tq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rZgSTCkIvN8yd8LayN7at2rk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9lhml6yObMMtVfHgzhCEXKiW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TQ7Xj8C54JgaNX9piUAHzDC2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDZBDFrQOFQSKgaXcgr0m0SH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIVjzIwHnUmpEmAuV0FqOhZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLDKPYpbZFVU5NBr5mETep15.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsnDe5krusoqelWGCXOp3Ese.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80Iomx6dMXCqhiHR5OZ8eWyc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iMvChnakRPEkaD9Vn8Vadnrf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46J92a3ClQAsYFD6LVy9eCdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stm7mydXoCajWO8whM7xdLvc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Sdb7d8DprhURPQDGAKSK94j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1pHRZ1WVTkwE1Jqqj49K6TVM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wcn2wv9yjThIe2YI0pq7eSRN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3HBynVapH8nz8IySMCRtzjIo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lbsaepAiLNJYR1eyWB3aJPen.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98JvCEwV6EjOk0MbNLLOtSSq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqxMDrzhq4w4Wyoz26je6XFO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YZwOWglUJKZNfk0Tr6ufVqnF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9oim7S2Do6aMr062mmsJ8og6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1OUEB4W7HwU4gIL2MQvEH1zP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7jzqF6B7KYhIwop5Du95n6t0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0g2ftn8MzMEKjC1SL91RWtO0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spQnYLsoZn8FuPq7Rq7CHj3C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90sjRPCwDoM2H2uL8wp1VHna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5IpslyurCImJpLxB2skJQKtk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dMlEgFklgLyUXbgOt2CQSyeo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ouwt4wjaBzBbldWsocbACzsI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgnCc8y5AIKgge6nJLgAKezu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ydL2O2Rp2S7GYzpUl5sssvWL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53G4C7fkisr75N0k0Yr3sc1j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YhaxdmO6NS59ZyhzMB2qT76V.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BcXOICI69P2jzAegsKAB9xIZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cEElHYdot58DykVLbQVOezn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yEv7UzOa4D2SQVTKdy0KZBrz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD86VQ7j1YxDcHW3sRNL2keZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0GMv9jZTcSw3m2Zzo1oAc5Kp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMSbk05eVuh0cDCaZ05cqYYm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LCtB7VLSyqko0a8UPu9cDXNs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5eoWgqllqSYAN6GnQgnRWOyK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pe2zVb5Lx59tdswPSzNRCctx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8tScOKc2FhcNTydZgmwXpKG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MF1n1MMRavEUlAvxHRMPbdvM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkzNDwjKmksIzh7O57WF1ALJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyAKpWmpR7jV1gZPnSl06Cdn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njwwrVvaL3wGhJS4ZxillTvY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiAPJYfgX9RwDDruEp6r5bnw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgz7tPPFnFUHpWfqwocbe2NH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDgLEqYP2vYDLgaMARikOx9C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ijWfD0OEdNC6VkDu24y3Rne.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zRfMhMIC0AjDney9eMJdTjf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DyQcp4eyTi30uvGlVwNKPZWh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\223Wr2Fp2qzADNFnnB7poHrJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FXCwMu1qq8h2DZK7BzuD0YTA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSL5hB44p9iAfNXRGSPd5HdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMWAVeXs6h4p9OUG1VPvRvUf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g3U1TJxNY6EWdrE5XnfwjDNZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvsAqBcs14MSMj5n8WcpjIQJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jyNSGsdxxLbtbZT1tgJZbFBN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTvMja1w8IFflYe4c1dWcn2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzTXHdO2770KAyXRmuUqLq0v.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBifmCHAE32dJaBTudWeQeic.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p1DEZhGyn4e3rEGBiwRbbVS5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RO0wJRSV6jerStwWPZ7Qg7Es.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opa6VpUVU4ItMsikkorVFHGh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMiyYzXywQQ6HUsYsiYCgMTf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0pgNNYepfpd1ep72J4H70XqG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmYshULAdXuSoLNh9KiorD58.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UhNz9jeL1xn8sCR8SjowJpOc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRUjFbJoTvrGefLBcITlKfd9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlsvkS6ByVyXxkmQMdGfEcfr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cyLJ3m7ZPJSLd3ZuRVxbnE3s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isKrb1wLEweQlNV1B0xqzvxk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4tAPySWDAPFfsDLEdFtyXetO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMxR9o5aAvZMrjCQUhD9HCL1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9PLm3CoXN6343EaXDXwAfru9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ZzCXoj423gmjbO1IwxWNDHP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tg5rCqW3mqvoxBUo1G1Of67b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqr25Evsg9WOTrsZ0VQQcZl8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mazxvv4LSujOl8iDjugFvUbN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lin1MFBl3hwvuCO3b41Oausr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z7n7OAst48KiwRxw3CThSB7H.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beTl29zkSOhao4hDAQ3xc2IX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2G0bqE887F5d6XIWH4lyRCS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BPtxlAAYArafirsKvhTulnE8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fe7rLLgjrc7oFSlDzs5a0QrD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6MpvBSYy7QSy59FE2mASGDR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0YyyGkClVNh7AiOB60bb5xx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEGRZKNIwf60Lgl1MBoJQ0ZR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvvH2hK6rryg4Cg1rwqWElGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LisYZCjcRKMOA9tgqlvWBYFX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CNfd5FiEPcxMOKTNBgdpS1PY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UOqMHoQ6sJWPszKy9pdAJESM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgNmv2f3PC4ea6prF24Y1Q3O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e51Og1eFOzino0O7DaaBhKzx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmJNQ79PtAIeJXJjb4pH4xzP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flZPnObYdJxjXam4b7Afu6fW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uf6B5fw4fXszXeBdZJje8qoI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5mRkxrSVZ8mQXdnkR0bcs9BN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2I3VgiKnHXlxEW8sZRfqj3o.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTUA6hJRQqZfaaHxpQsjvDGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCgckEGm4PGsBp4hNII9RWCb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUgvnBNq9F0hYR8cgb1rDE7N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Se1CGrooWTbosMPUIM3bKpgi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCWH8TaW9IQZKg5DQkHbDqxJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuvvB4T4Z5K1LwZb28zOvoO7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDlZpZ3M3en2qQO1cfoPA1I1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whVnM9rGJ13QjhGc1Rt16wa2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ypAzZbAHcREafMGRflK8FqL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6VNYKWyURTETEJdXck74Vgpa.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FFTGVMEfsqk6j5oSz6zolzfL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ly548Y6PjIWHZ05puZx1i8N8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bixO5L74B9ixnhuSceKTzqO3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlyNt4NgQIAJoJxWDPAmAsPv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ok6RlED8S3NTX5X3U5Jy2kCe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02yWcihZkPqdFfZMeYSvhncc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NT0kx2lWWZ91znDneizhQaHo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IRxeCoXJY6JkXTxGsdt0TUFl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sLBemkmbPAWlcMw9HPzyIWd1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L2O86RPVrJVS3laNoEySAhRr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUXJBtnLfTGR9tyzbLiQcmcD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jljpEbOjbYACwFqIBm1kiJGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2XUzlA8k5WK5zlvt3tTJwImN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zFgbHWM50vrkEjI3vzuyBIW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dL9MJob9nWX8FZAYyWD9Ut4N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBriyiDzNpHyax19IH3WQHvV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLoIrKhz34gPeslplYeXvTYE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\maiZkA6ZHQSr4zLaqV7nMF8g.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CK8mgIhAZK0QzLNTNZuSbUoH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zbz0wpakMIyBfTSoyYM85bCt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVh0F5xHsjXT8AKR9GZ1WCxY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N5je2TuP0NZeaqaqdxYy85NF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKZYxLRDuoUz2qJHflbvTYna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F4jGAqx0AlFkEFV9d1HGs00R.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AR4dLubUhSpG7yYwe01z0wt1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OzzXoIKlVGWCCm8n1jA0R77y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44FJzHoQ1A4IsV1f1ac9TihC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A7fQLTArS05zuFFcZCiF4aV9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U9kQAbIjmfH5gnYDkkcr5N0B.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxSMT75ZK9xqII2EvqG5wUyR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGgboOj6M0Japikm1aF93yr1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nVhAOQdd2NnYXtsOhH2CoEIv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft0WOttlZlpKpMdZSnKtpGBX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TqqykfPo7pEIpGfLS98j6JLn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvWH6jTdmaobHQpeKa8QMfmF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEi7QcndVjucI1YTwi4LH8yG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOi4FRPVOEbPzOmbwntlzt2Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\euZx2LVZcKmVfRuQHSHBly5W.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K6ER7CKyfGlYZfnc9LFL2pPe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dSTotanv7U42nerMY8Xbncl5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NHebJu3zFkPDrak3auvIjrSB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1zoVu5VJKkUoNKt6ZUPBgGLd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iW32fBwuXqTRXkwTTV9tnE4Y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXVNvm9czP30VfGRKOb8NQ99.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gkdNInesmzVzVnL58vVmpOC0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElwTXFgYpDJPq6ia2zSutSfk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50nriTd7pYXWjJrxKQVsJbjK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DjAynFk5t26gdRT9HQ6r6Ha4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zvydu6CveySMcgpTmnCqZHFi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0mI3ziaaiGwEZw2JcH1QmfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERJjdWXBMC4KwkZbMy3aNp7s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4VWKGnOZbSrWJcYB0IuLOHh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m47NhrS8mJ7FJOyuNP7YLcDb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h131SDDbHMqABr109sBD1eGu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OltYTqremlJnfAVhyJtnVrc.bat

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F47A second address: E9F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F495 second address: E9F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102050F second address: 102052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102052C second address: 1020539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1020539 second address: 102053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102053E second address: 102054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102054C second address: 102055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F56D second address: 101F5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F9E7 second address: 101FA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA00 second address: 101FA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA0A second address: 101FA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA23 second address: 101FA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FBBC second address: 101FBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AA second address: 10232AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AE second address: 10232F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232F9 second address: 1023308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023308 second address: 102330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102330D second address: 102336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102336D second address: 1023392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023392 second address: 1023398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023398 second address: 10233BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10233BC second address: 1023410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023410 second address: 1023416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023416 second address: 102341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102341B second address: 102342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102345F second address: 10234B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234B0 second address: 10234C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234C7 second address: 10234CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10235CD second address: 102362A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007FCC1D4AC756h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007FCC1D4AC760h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jng 00007FCC1D4AC756h 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 jnp 00007FCC1D4AC75Ah 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 pop edx 0x00000032 pop eax 0x00000033 add dword ptr [ebp+122D3294h], ecx 0x00000039 lea ebx, dword ptr [ebp+1245814Ah] 0x0000003f mov esi, dword ptr [ebp+122D397Ah] 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push esi 0x0000004b pop esi 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102362A second address: 1023630 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023748 second address: 1023752 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023752 second address: 102377D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jns 00007FCC1D4AF187h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102377D second address: 1023810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007FCC1D4AC756h 0x0000000c jnl 00007FCC1D4AC756h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007FCC1D4AC762h 0x0000001d pop eax 0x0000001e mov ch, al 0x00000020 lea ebx, dword ptr [ebp+12458155h] 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FCC1D4AC758h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov cl, bh 0x00000042 add dword ptr [ebp+122D27A1h], eax 0x00000048 xchg eax, ebx 0x00000049 jns 00007FCC1D4AC76Ah 0x0000004f jng 00007FCC1D4AC764h 0x00000055 jmp 00007FCC1D4AC75Eh 0x0000005a push eax 0x0000005b pushad 0x0000005c jne 00007FCC1D4AC766h 0x00000062 pushad 0x00000063 push edx 0x00000064 pop edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042922 second address: 1042926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042926 second address: 104293D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104293D second address: 1042947 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042947 second address: 1042958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCC1D4AC75Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042958 second address: 1042970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007FCC1D4AF17Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042970 second address: 1042976 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF0 second address: 1042DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF6 second address: 1042DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042F46 second address: 1042F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 popad 0x00000011 pushad 0x00000012 jnc 00007FCC1D4AF176h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433C7 second address: 10433D9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433D9 second address: 10433DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433DF second address: 1043428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FCC1D4AC772h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007FCC1D4AC756h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AC75Fh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043428 second address: 104342C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043593 second address: 10435B9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC764h 0x0000000f jne 00007FCC1D4AC75Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044310 second address: 1044314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044314 second address: 104431E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104431E second address: 1044325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A3E second address: 1012A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A42 second address: 1012A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FCC1D4AF176h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 jl 00007FCC1D4AF176h 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FCC1D4AF181h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10495E6 second address: 10495EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049C90 second address: 1049CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CC5 second address: 1049CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jp 00007FCC1D4AC75Ah 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CE1 second address: 1049CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048453 second address: 1048464 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048464 second address: 1048468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E4D second address: 1049E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E54 second address: 1049E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050652 second address: 1050661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105092E second address: 1050934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050934 second address: 105094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC766h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105094E second address: 1050952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10537B3 second address: 10537B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053CE2 second address: 1053CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053DC4 second address: 1053DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10544B6 second address: 10544C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10548B2 second address: 10548B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558B9 second address: 10558BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558BD second address: 10558C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558C1 second address: 10558E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF188h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056905 second address: 105691B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FCC1D4AC75Ch 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1057356 second address: 105735C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105735C second address: 1057360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058744 second address: 105874E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058516 second address: 105851A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10591DB second address: 10591DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105C41C second address: 105C420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105D3F2 second address: 105D3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E32B second address: 105E335 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E335 second address: 105E33A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F32F second address: 105F333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5AB second address: 105E5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5B1 second address: 105E5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F46C second address: 105F471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F471 second address: 105F477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F536 second address: 105F54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F54B second address: 105F551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F551 second address: 105F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1063E55 second address: 1063E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AC769h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE3 second address: 1064EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE7 second address: 1064EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066CA1 second address: 1066D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FCC1D4AF178h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov bl, al 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FCC1D4AF178h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov di, si 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AF183h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D12 second address: 1066D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D18 second address: 1066D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066E83 second address: 1066F3D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC76Dh 0x00000008 jmp 00007FCC1D4AC767h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 je 00007FCC1D4AC75Ch 0x00000018 or dword ptr [ebp+122D1B32h], ebx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FCC1D4AC758h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f jmp 00007FCC1D4AC75Ah 0x00000044 mov edi, dword ptr [ebp+122D394Eh] 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 jmp 00007FCC1D4AC764h 0x00000056 mov eax, dword ptr [ebp+122D13E9h] 0x0000005c movzx edi, bx 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push ebp 0x00000064 call 00007FCC1D4AC758h 0x00000069 pop ebp 0x0000006a mov dword ptr [esp+04h], ebp 0x0000006e add dword ptr [esp+04h], 00000016h 0x00000076 inc ebp 0x00000077 push ebp 0x00000078 ret 0x00000079 pop ebp 0x0000007a ret 0x0000007b mov ebx, 229C56CCh 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 pushad 0x00000085 popad 0x00000086 pop eax 0x00000087 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1068F32 second address: 1068F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F3D second address: 1066F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FCC1D4AC75Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DBC second address: 1069DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FCC1D4AF188h 0x00000012 jmp 00007FCC1D4AF182h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F67 second address: 1066F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DF0 second address: 1069DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD6C second address: 106BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B04F second address: 106B053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD70 second address: 106BDC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D1A1Fh], ebx 0x00000014 push 00000000h 0x00000016 movzx edi, di 0x00000019 push 00000000h 0x0000001b mov edi, ecx 0x0000001d xchg eax, esi 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FCC1D4AC765h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B053 second address: 106B059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BDC0 second address: 106BDC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B059 second address: 106B05E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106E776 second address: 106E77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106CF28 second address: 106CF2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101B162 second address: 101B167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758C6 second address: 10758CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758CA second address: 10758D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D0 second address: 10758D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D5 second address: 10758E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnp 00007FCC1D4AC756h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD8E second address: 107FD94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD94 second address: 107FD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9A second address: 107FD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9E second address: 107FDAD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FF07 second address: 107FF17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AF17Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10801C7 second address: 10801E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FCC1D4AC756h 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007FCC1D4AC756h 0x00000015 popad 0x00000016 push ecx 0x00000017 ja 00007FCC1D4AC756h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108062B second address: 1080638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10807C4 second address: 10807F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 jmp 00007FCC1D4AC765h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108092E second address: 1080932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080932 second address: 108093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108093B second address: 108095C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 pop esi 0x0000000a jno 00007FCC1D4AF17Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108095C second address: 1080960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080960 second address: 1080986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FCC1D4AF196h 0x0000000d pushad 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10850A6 second address: 10850AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10851FD second address: 1085203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085203 second address: 108520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108520C second address: 1085212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108536D second address: 1085382 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCC1D4AC75Fh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856CF second address: 10856DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856DB second address: 10856E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856E3 second address: 10856EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856EB second address: 10856F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856F5 second address: 10856FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DC9 second address: 1084DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DCD second address: 1084DDC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085B38 second address: 1085B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C7B second address: 1085C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF182h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C96 second address: 1085CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CA5 second address: 1085CB6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AF178h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CB6 second address: 1085CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BDC1 second address: 108BDE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A859 second address: 108A864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A864 second address: 108A869 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB0 second address: 108ADB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB4 second address: 108ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADC3 second address: 108ADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B088 second address: 108B08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B08C second address: 108B092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B092 second address: 108B09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1F6 second address: 108B1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1FA second address: 108B208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FCC1D4AF176h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B208 second address: 108B226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f jmp 00007FCC1D4AC75Ah 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B226 second address: 108B236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38B second address: 108B38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38F second address: 108B399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B399 second address: 108B39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B39F second address: 108B3A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3A9 second address: 108B3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3AF second address: 108B3B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC48 second address: 108BC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007FCC1D4AC756h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC65 second address: 108BC6F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF17Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052171 second address: 1036DB3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e adc cx, 0CA7h 0x00000013 call dword ptr [ebp+122D2E90h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCC1D4AC75Fh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052383 second address: 1052393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FCC1D4AF178h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052393 second address: 1052399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105261D second address: 1052622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052622 second address: 1052628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052628 second address: 105262C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105262C second address: 1052630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052721 second address: 1052725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052725 second address: 105272B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105272B second address: 1052731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10527E2 second address: 105281A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FCC1D4AC769h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FCC1D4AC758h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105281A second address: 105287E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AF178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f jnl 00007FCC1D4AF180h 0x00000015 pop eax 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FCC1D4AF178h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jc 00007FCC1D4AF17Dh 0x00000037 jnp 00007FCC1D4AF177h 0x0000003d push FB3ACA71h 0x00000042 pushad 0x00000043 push esi 0x00000044 jns 00007FCC1D4AF176h 0x0000004a pop esi 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10529AE second address: 10529C3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052B0C second address: 1052B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052D65 second address: 1052D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105349B second address: 10534A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109289C second address: 10928D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCC1D4AC769h 0x0000000b jne 00007FCC1D4AC756h 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007FCC1D4AC75Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D0 second address: 10928D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D9 second address: 10928DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928DD second address: 10928E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928E8 second address: 10928F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928F3 second address: 1092911 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCC1D4AF183h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092BAF second address: 1092BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092CFF second address: 1092D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D07 second address: 1092D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1A second address: 1092D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1E second address: 1092D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1093046 second address: 109304B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1098993 second address: 109899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109899A second address: 10989AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10989AD second address: 10989B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109ACCA second address: 109ACD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109A9D3 second address: 109A9DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCCC second address: 109DCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCD0 second address: 109DCD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D720 second address: 109D72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FCC1D4AF176h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D72E second address: 109D732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D87F second address: 109D883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D883 second address: 109D8A3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A3 second address: 109D9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A9 second address: 109D9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9B4 second address: 109D9F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jns 00007FCC1D4AF176h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 ja 00007FCC1D4AF183h 0x00000019 jmp 00007FCC1D4AF17Dh 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007FCC1D4AF17Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F1 second address: 109D9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F8 second address: 109DA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DA01 second address: 109DA1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AC767h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160CF second address: 10160D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160D3 second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 js 00007FCC1D4AC756h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FCC1D4AC75Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A462A second address: 10A4636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4636 second address: 10A4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FCC1D4AC756h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160FC second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A493B second address: 10A494F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 je 00007FCC1D4AC756h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4AD2 second address: 10A4AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E16 second address: 10A4E1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E1C second address: 10A4E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E22 second address: 10A4E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E28 second address: 10A4E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052F57 second address: 1052F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A511E second address: 10A512E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A512E second address: 10A5134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A5134 second address: 10A514D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A514D second address: 10A5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACE4 second address: 10AACEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACEA second address: 10AACEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA593 second address: 10AA59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA840 second address: 10AA848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA848 second address: 10AA87C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b jns 00007FCC1D4AF176h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA87C second address: 10AA888 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA888 second address: 10AA88D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2D9 second address: 10AD2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2DD second address: 10AD2E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2E7 second address: 10AD2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2ED second address: 10AD2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2F1 second address: 10AD2FF instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD459 second address: 10AD47F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jl 00007FCC1D4AF176h 0x00000013 pop edx 0x00000014 pushad 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD47F second address: 10AD489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD489 second address: 10AD4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 je 00007FCC1D4AF176h 0x0000000f popad 0x00000010 jnl 00007FCC1D4AF17Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF239 second address: 10AF23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF23F second address: 10AF263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c jno 00007FCC1D4AF176h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnl 00007FCC1D4AF176h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0865 second address: 10B0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0869 second address: 10B0876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0876 second address: 10B087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6331 second address: 10B6341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jnc 00007FCC1D4AF176h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6B85 second address: 10B6BAD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC75Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FCC1D4AC75Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0686 second address: 10C068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AA8 second address: 10C0AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AAE second address: 10C0ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF187h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0D9B second address: 10C0DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA1 second address: 10C0DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA7 second address: 10C0DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0EFC second address: 10C0F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0F10 second address: 10C0F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C11A6 second address: 10C11AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8606 second address: 10C8612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8612 second address: 10C8618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8618 second address: 10C861E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C861E second address: 10C8624 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A6B second address: 10C8A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A71 second address: 10C8A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8E9D second address: 10C8EB3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC75Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FCC1D4AC756h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C901D second address: 10C9021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E99 second address: 10C9E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E9F second address: 10C9EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9EA5 second address: 10C9EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D3F second address: 10C7D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D45 second address: 10C7D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D49 second address: 10C7D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D4D second address: 10C7D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF307 second address: 10DF30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF30F second address: 10DF34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC763h 0x00000009 popad 0x0000000a jmp 00007FCC1D4AC762h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jne 00007FCC1D4AC756h 0x00000019 jno 00007FCC1D4AC756h 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEDB second address: 10DEEE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEE1 second address: 10DEF0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FCC1D4AC756h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCC1D4AC75Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Fh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEF0E second address: 10DEF2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A28 second address: 10E2A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A2C second address: 10E2A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E23ED second address: 10E2403 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FCC1D4AC75Ah 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10EFF9E second address: 10EFFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8114 second address: 10F8131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC769h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8131 second address: 10F8137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8594 second address: 10F8598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F885A second address: 10F88A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FCC1D4AF195h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a jp 00007FCC1D4AF17Eh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F88A3 second address: 10F88A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93A2 second address: 10F93BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF189h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93BF second address: 10F93C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA51 second address: 10FBA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA5B second address: 10FBA84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 jmp 00007FCC1D4AC764h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA84 second address: 10FBA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F724 second address: 111F736 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FCC1D4AC75Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F736 second address: 111F765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jbe 00007FCC1D4AF176h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FCC1D4AF176h 0x0000001c jmp 00007FCC1D4AF183h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F765 second address: 111F772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113558F second address: 113559A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113559A second address: 113559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113A0C9 second address: 113A0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FBB second address: 1138FE3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AC768h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FE3 second address: 1138FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113911E second address: 1139128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 11393CD second address: 11393D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139890 second address: 11398AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA0 second address: 1139CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA6 second address: 1139CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113B6FF second address: 113B708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E307 second address: 113E30D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3A6 second address: 113E3FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122DBB12h], ecx 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FCC1D4AF178h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e sub edx, dword ptr [ebp+122D2596h] 0x00000034 mov dx, cx 0x00000037 call 00007FCC1D4AF179h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push edi 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3FD second address: 113E407 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E407 second address: 113E443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007FCC1D4AF181h 0x00000011 pop esi 0x00000012 jc 00007FCC1D4AF178h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E443 second address: 113E447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E6E1 second address: 113E714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCC1D4AF180h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FCC1D4AF188h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E714 second address: 113E71E instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E71E second address: 113E74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D19CAh], esi 0x0000000d push dword ptr [ebp+122D1C7Eh] 0x00000013 mov dx, 35B3h 0x00000017 mov edx, dword ptr [ebp+124AAEE2h] 0x0000001d push E352FBC6h 0x00000022 jc 00007FCC1D4AF184h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E74A second address: 113E74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114182A second address: 1141831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114134B second address: 1141356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1141356 second address: 114135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114135A second address: 114137A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114137A second address: 114137F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D3B second address: 5120D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D41 second address: 5120D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D45 second address: 5120D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D5D second address: 5120D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D61 second address: 5120D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D71 second address: 5120D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D80 second address: 5120DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E4h 0x00000005 call 00007FCC1D4AC760h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 push eax 0x00000014 push edx 0x00000015 mov bh, 77h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120DA2 second address: 5120DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AF17Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110BC5 second address: 5110C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FCC1D4AC75Dh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push edi 0x00000012 mov ecx, 7E05BCAFh 0x00000017 pop eax 0x00000018 call 00007FCC1D4AC765h 0x0000001d pushfd 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 or esi, 3743B708h 0x00000029 jmp 00007FCC1D4AC75Bh 0x0000002e popfd 0x0000002f pop esi 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C27 second address: 5110C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C37 second address: 5110C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 and esi, 0D0BDB86h 0x0000001b jmp 00007FCC1D4AC761h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150971 second address: 5150975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150975 second address: 515097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515097B second address: 515098C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515098C second address: 5150990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150990 second address: 51509B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51509B3 second address: 51509B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0096 second address: 50F00AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00AE second address: 50F00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 call 00007FCC1D4AC768h 0x0000000a mov ecx, 4E9B3A81h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FCC1D4AC75Ch 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov al, D0h 0x0000001b movsx edx, cx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCC1D4AC761h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00FC second address: 50F0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0101 second address: 50F016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 2535A9E6h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+04h] 0x0000001c jmp 00007FCC1D4AC75Eh 0x00000021 push dword ptr [ebp+0Ch] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, di 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AC769h 0x00000030 jmp 00007FCC1D4AC75Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51105FB second address: 5110610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110610 second address: 5110630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Bh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110630 second address: 5110636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110636 second address: 511063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511063C second address: 5110640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110640 second address: 5110644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110521 second address: 5110538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110538 second address: 511054D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, 38B1h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov esi, 715767B3h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511054D second address: 511056F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FCC1D4AF182h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511056F second address: 5110573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110573 second address: 5110579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110579 second address: 511058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1C7CD301h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511058E second address: 5110592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110592 second address: 5110598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51102A0 second address: 5110334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AF187h 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FCC1D4AF17Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF182h 0x0000001e sbb cl, FFFFFF88h 0x00000021 jmp 00007FCC1D4AF17Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FCC1D4AF188h 0x0000002d or eax, 755E2AE8h 0x00000033 jmp 00007FCC1D4AF17Bh 0x00000038 popfd 0x00000039 popad 0x0000003a movzx ecx, dx 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FCC1D4AF17Eh 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508DF second address: 51508EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508EE second address: 51508F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130034 second address: 5130067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FCC1D4AC75Fh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCC1D4AC765h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130067 second address: 513006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513006D second address: 513008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC762h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513008C second address: 51300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007FCC1D4AF186h 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 jmp 00007FCC1D4AF180h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FCC1D4AF17Dh 0x00000024 and esi, 287FE656h 0x0000002a jmp 00007FCC1D4AF181h 0x0000002f popfd 0x00000030 mov cx, C3C7h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C47 second address: 5120C5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7D0Ah 0x00000007 movsx ebx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C5B second address: 5120C61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C61 second address: 5120C8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Ch 0x00000009 xor eax, 48CC8DF8h 0x0000000f jmp 00007FCC1D4AC75Bh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C8F second address: 5120C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C93 second address: 5120C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C97 second address: 5120C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C9D second address: 5120CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC764h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120CB5 second address: 5120CF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov esi, 764A511Bh 0x00000012 mov esi, 1032E3F7h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCC1D4AF189h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515000F second address: 515006D instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC767h 0x0000000c adc si, 57DEh 0x00000011 jmp 00007FCC1D4AC769h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FCC1D4AC75Eh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Eh 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515006D second address: 51500AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c jmp 00007FCC1D4AF185h 0x00000011 mov ecx, 614E1667h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCC1D4AF184h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500AE second address: 51500B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500B4 second address: 51500BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500BA second address: 51500C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500C9 second address: 51500CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500CF second address: 515012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AC766h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FCC1D4AC75Ch 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AC75Eh 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e mov eax, dword ptr [774365FCh] 0x00000023 jmp 00007FCC1D4AC75Ch 0x00000028 test eax, eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCC1D4AC75Ah 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515012F second address: 515013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515013E second address: 5150168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F70FF61h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150168 second address: 515016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515016E second address: 5150172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150172 second address: 5150176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150176 second address: 51501E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e mov bx, E116h 0x00000012 popad 0x00000013 xor eax, dword ptr [ebp+08h] 0x00000016 pushad 0x00000017 mov bl, al 0x00000019 jmp 00007FCC1D4AC765h 0x0000001e popad 0x0000001f and ecx, 1Fh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC763h 0x0000002b xor si, 22FEh 0x00000030 jmp 00007FCC1D4AC769h 0x00000035 popfd 0x00000036 push esi 0x00000037 pop edx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51501E1 second address: 5150232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 leave 0x00000011 jmp 00007FCC1D4AF180h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a mov esi, eax 0x0000001c lea eax, dword ptr [ebp-08h] 0x0000001f xor esi, dword ptr [00E94014h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 lea eax, dword ptr [ebp-10h] 0x0000002b push eax 0x0000002c call 00007FCC217ADC3Ch 0x00000031 push FFFFFFFEh 0x00000033 pushad 0x00000034 mov dh, ah 0x00000036 push edi 0x00000037 pop ebx 0x00000038 popad 0x00000039 pop eax 0x0000003a pushad 0x0000003b pushad 0x0000003c mov cx, 17FFh 0x00000040 push ecx 0x00000041 pop edx 0x00000042 popad 0x00000043 popad 0x00000044 ret 0x00000045 nop 0x00000046 push eax 0x00000047 call 00007FCC217ADC49h 0x0000004c mov edi, edi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150232 second address: 5150238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150238 second address: 5150257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, bl 0x0000000f mov bl, ah 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150257 second address: 515028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 or cx, 2B78h 0x0000000e jmp 00007FCC1D4AC75Bh 0x00000013 popfd 0x00000014 mov eax, 343EB2AFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop edi 0x00000022 movzx eax, dx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515028C second address: 5150302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AF182h 0x00000009 xor ecx, 57AD5508h 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FCC1D4AF182h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCC1D4AF17Dh 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AF180h 0x00000030 sub esi, 38C349C8h 0x00000036 jmp 00007FCC1D4AF17Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100074 second address: 5100079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100079 second address: 51000BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ecx 0x0000000f jmp 00007FCC1D4AF17Eh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 mov dx, 1EC0h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AF185h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000BD second address: 51000E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCC1D4AC75Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E2 second address: 51000E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E9 second address: 5100153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e push edx 0x0000000f mov ebx, esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push ebp 0x00000014 jmp 00007FCC1D4AC766h 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 jmp 00007FCC1D4AC764h 0x00000028 xchg eax, edi 0x00000029 jmp 00007FCC1D4AC760h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCC1D4AC75Eh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100153 second address: 5100159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100159 second address: 510015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510015D second address: 51001A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FCC1D4AF17Eh 0x00000011 test esi, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AF17Dh 0x0000001b call 00007FCC1D4AF180h 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A3 second address: 51001A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A9 second address: 51001AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001AD second address: 51001CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FCC8F75ABAEh 0x00000011 pushad 0x00000012 mov di, cx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001CB second address: 510021B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e jmp 00007FCC1D4AF180h 0x00000013 je 00007FCC8F75D5B8h 0x00000019 pushad 0x0000001a mov esi, 7CEC20DDh 0x0000001f mov ecx, 018EEDD9h 0x00000024 popad 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 jmp 00007FCC1D4AF184h 0x0000002d or edx, dword ptr [ebp+0Ch] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510021B second address: 5100238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100238 second address: 5100259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100259 second address: 510025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510025D second address: 5100270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100270 second address: 510029F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ADCAh 0x00000007 jmp 00007FCC1D4AC75Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FCC8F75AB59h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AC760h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510029F second address: 51002AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0819 second address: 50F081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F081D second address: 50F0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0821 second address: 50F0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0827 second address: 50F082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F082D second address: 50F0858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007FCC1D4AC75Eh 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0858 second address: 50F085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F085C second address: 50F0862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0862 second address: 50F0868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0868 second address: 50F086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F086C second address: 50F089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCC1D4AF17Eh 0x00000012 and ax, 7058h 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c popfd 0x0000001d mov di, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F089C second address: 50F08A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F08A2 second address: 50F08A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09D0 second address: 50F09F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 je 00007FCC8F7620FCh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, eax 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09F3 second address: 50F0A34 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, dl 0x00000008 popad 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FCC1D4AF186h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AF187h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0A34 second address: 50F0AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F7620A8h 0x0000000f pushad 0x00000010 call 00007FCC1D4AC75Ch 0x00000015 pushfd 0x00000016 jmp 00007FCC1D4AC762h 0x0000001b add ah, 00000068h 0x0000001e jmp 00007FCC1D4AC75Bh 0x00000023 popfd 0x00000024 pop esi 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC769h 0x0000002b or ax, C886h 0x00000030 jmp 00007FCC1D4AC761h 0x00000035 popfd 0x00000036 popad 0x00000037 test byte ptr [77436968h], 00000002h 0x0000003e jmp 00007FCC1D4AC75Eh 0x00000043 jne 00007FCC8F76203Eh 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AC767h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AED second address: 50F0AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF3 second address: 50F0AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF7 second address: 50F0B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov ax, 771Bh 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF17Fh 0x0000001e and al, 0000007Eh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 mov cx, BCC7h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B47 second address: 50F0B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B4D second address: 50F0BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 mov cx, AD6Dh 0x00000019 movzx ecx, bx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FCC1D4AF184h 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FCC1D4AF180h 0x00000029 push dword ptr [ebp+14h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BB4 second address: 50F0BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BD1 second address: 50F0BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BE1 second address: 50F0BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BFB second address: 50F0C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C2B second address: 50F0C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C31 second address: 50F0C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF17Ch 0x00000013 sub ax, EE18h 0x00000018 jmp 00007FCC1D4AF17Bh 0x0000001d popfd 0x0000001e call 00007FCC1D4AF188h 0x00000023 mov bx, si 0x00000026 pop eax 0x00000027 popad 0x00000028 mov esp, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FCC1D4AF188h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C9D second address: 50F0CA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0CA6 second address: 50F0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bh, al 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF187h 0x00000013 sbb ax, CA4Eh 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056522 second address: 105652C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056713 second address: 1056717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056717 second address: 1056758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FCC1D4AC763h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FCC1D4AC768h 0x00000019 jp 00007FCC1D4AC756h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BCA second address: 5100BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD0 second address: 5100BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD4 second address: 5100C2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov cx, B749h 0x0000000f call 00007FCC1D4AF186h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c add ax, 35AEh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C2E second address: 5100C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C32 second address: 5100C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C38 second address: 5100C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC75Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCC1D4AC767h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510085A second address: 5100874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 jmp 00007FCC1D4AF17Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100874 second address: 51008A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC768h 0x00000009 popad 0x0000000a mov ch, 52h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FCC1D4AC75Ch 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008A7 second address: 51008AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008AE second address: 51008E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov si, 0593h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FCC1D4AC766h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007FCC1D4AC75Dh 0x0000001d pop ecx 0x0000001e mov ecx, edx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008E8 second address: 51008EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008EE second address: 51008F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 518071B second address: 5180720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5180720 second address: 518075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC765h 0x0000000c xor si, B746h 0x00000011 jmp 00007FCC1D4AC761h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov di, 55CEh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708EF second address: 51708F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F3 second address: 51708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F9 second address: 51708FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708FF second address: 5170903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170903 second address: 5170907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170907 second address: 5170917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, dx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170917 second address: 517092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF17Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 517092C second address: 517093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170844 second address: 5170849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170849 second address: 51708A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 0C1DA566h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FCC1D4AC75Ch 0x00000022 sbb ax, 1D08h 0x00000027 jmp 00007FCC1D4AC75Bh 0x0000002c popfd 0x0000002d mov ax, C77Fh 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A3 second address: 51708A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A7 second address: 51708AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708AD second address: 51708B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708B3 second address: 51708B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170AEC second address: 5170B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AF17Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Ch 0x00000019 sub ah, 00000068h 0x0000001c jmp 00007FCC1D4AF17Bh 0x00000021 popfd 0x00000022 jmp 00007FCC1D4AF188h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B51 second address: 5170B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC766h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ebx, eax 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, di 0x00000022 call 00007FCC1D4AC763h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B9F second address: 5170BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BA5 second address: 5170BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f push esi 0x00000010 mov si, dx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push 8C89E878h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD0 second address: 5170BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD4 second address: 5170BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BDA second address: 5170C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 7377178Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Dh 0x00000019 adc ch, 00000066h 0x0000001c jmp 00007FCC1D4AF181h 0x00000021 popfd 0x00000022 mov ah, DEh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170C5D second address: 5170CA4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCC1D4AC75Ah 0x00000008 adc al, FFFFFF98h 0x0000000b jmp 00007FCC1D4AC75Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 movzx eax, al 0x00000017 jmp 00007FCC1D4AC766h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Ah 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170CA4 second address: 5170CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F47A second address: 13F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F495 second address: 13F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C050F second address: 2C052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C052C second address: 2C0539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C0539 second address: 2C053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C053E second address: 2C054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C054C second address: 2C055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF56D second address: 2BF5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF9E7 second address: 2BFA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA00 second address: 2BFA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA0A second address: 2BFA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA23 second address: 2BFA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFBBC second address: 2BFBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AA second address: 2C32AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AE second address: 2C32F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32F9 second address: 2C3308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3308 second address: 2C330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C330D second address: 2C336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C336D second address: 2C3392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3392 second address: 2C3398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3398 second address: 2C33BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C33BC second address: 2C3410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3410 second address: 2C3416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3416 second address: 2C341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C341B second address: 2C342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C345F second address: 2C34B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 106E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 10D7A29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 30E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 377A29 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246C2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246DA5F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 6F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 7F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 94C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 77C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Window / User API: threadDelayed 2948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 991
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 919
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 977
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1034
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1096
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 852
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1059
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1092
Source: C:\Users\user\1000021002\2c9ff67496.exe	Window / User API: threadDelayed 773
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 4297
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Window / User API: threadDelayed 4143
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 637
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 732

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep count: 2948 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -88440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2132	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6324	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 2524	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep count: 991 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep time: -1982991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep count: 919 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep time: -1838919s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep count: 977 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep time: -1954977s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 884	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep count: 1034 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep time: -2069034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep count: 1096 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep time: -2193096s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7280	Thread sleep time: -2160000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep count: 852 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep time: -1704852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep count: 1059 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep time: -2119059s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep count: 1092 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep time: -2185092s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 76 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 55 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 66 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 67 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 58 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7812	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep count: 4297 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep time: -4297000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -45000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 104 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 77 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe TID: 644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7576	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 110 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 52 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep count: 42 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7532	Thread sleep count: 732 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599665s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8052	Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595943s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595032s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -594407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -591585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -589150s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588679s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588206s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -583315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582569s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582066s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -581187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -580173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -573283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -564345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -560846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -559627s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -557424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -556814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555877s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -554471s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -552846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549303s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -548722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -547329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -546045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -544408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -541751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -539658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -537392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -536564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -534126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -529236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528759s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525330s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522376s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -520814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519788s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518368s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517705s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -513595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -512142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -505908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -504439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -502548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501267s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499158s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -498727s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -496595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495001s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -494455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -489670s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488720s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -487908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -486642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -484626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -482439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -480626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -478642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -477908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -476298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -474501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -472848s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -470533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -469017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -468283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -466986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -463876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -462830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -458970s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449411s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447811s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MPGPH131.exe, 00000014.00000003.2820152073.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2820638469.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819486328.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127253259.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819877346.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADM
Source: MPGPH131.exe, 00000013.00000003.2843661605.0000000006035000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUuj
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2*
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nteractive Brokers - HKVMware20,11696487552]
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8i
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\9ac011e0-5a83-469e-a698-55282c006efc.tmp
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ks
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: netsh.exe, 0000001B.00000003.2305479100.0000022A9AC75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A9uNEl
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A I
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nara Change Transaction PasswordVMware20,11696487552^
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@]m
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 00000014.00000003.2290450601.0000000001447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: aea7caadbf.exe, 00000021.00000003.2806627544.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02Ohsoxy
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\5567ef92-dbe9-4ad2-9045-8f930e3d7ed6.tmp
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: explorta.exe, 0000002C.00000002.2755047302.0000000001868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__q
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0m
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: jok.exe, 00000020.00000002.4626441113.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: aea7caadbf.exe, 00000007.00000003.2846166620.00000000058AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000al\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsL,
Source: MPGPH131.exe, 00000013.00000003.2844575612.000000000602B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-1028231-15-52,P-X-1087217-10-23,P-X-1110552-2-3,P-X-1108288-1-7,P-X-1100779-2-7,P-X-1092122-2-9,P-X-1096650-2-6,P-X-1105131-2-6,P-X-1097232-7-13,P-X-1104872-1-9,P-X-1103964-2-3,P-X-1099080-1-9,P-X-1089758-2-11,P-X-1102990-2-3,P-X-1102008-2-7,P-X-1063575-3-11,P-X-1102153-2-4,P-X-1071006-1-5,P-X-1100769-1-3,P-X-1099659-1-3,P-X-1095668-2-7,P-X-1097226-1-5,P-X-1083898-4-17,P-X-1095524-1-3,P-X-1063514-2-6,P-X-1094047-1-6,P-X-1092821-2-3,P-X-1092738-2-3,P-X-1092158-1-3,P-X-1068889-5-13,P-X-1086546-21-84,P-X-1091091-2-4,P-X-1089774-2-7,P-X-1089256-2-5,P-X-1089119-2-6,P-X-1013679-2-5,P-X-1087661-2-6,P-X-1085156-1-3,P-X-1082985-5-11,P-X-1082074-3-7,P-X-1047521-4-21,P-X-1080712-1-5,P-X-1079473-2-6,P-X-1048662-1-13,P-X-1077532-1-5,P-X-1077147-1-9,P-X-1056699-36-118,P-X-1067018-2-4,P-X-1043380-1-18,P-X-1071593-2-4,P-X-1070560-4-8,P-X-1070133-1-6,P-X-1070026-3-7,P-X-1056537-1-9,P-X-1067718-1-3,P-X-1066229-1-7,P-X-1050101-1-9,P-X-1061902-3-17,P-X-1053062-1-5,P-X-1058142-1-7,P-X-1059966-1-9,P-X-1052772-23-44,P-X-1043219-25-50,P-X-1054089-1-3,P-X-1052254-4-10,P-X-1021723-3-16,P-X-1048870-3-8,P-X-1048071-1-5,P-X-1047513-1-5,P-X-1026324-3-20,P-X-1010579-1-9,P-X-1008556-23-99,P-X-1037615-1-7,P-X-1006190-9-15,P-X-1036081-1-3,P-X-1027402-7-15,P-X-1020537-2-6,P-X-1012411-2-9,P-X-100876-37-228,P-X-117040-1-5,P-X-113035-2-9,P-X-97954-9-89,P-X-91270-7-51,P-R-1089873-14-4,P-R-1080087-6-13,P-R-1075857-18-21,P-R-1068861-4-10,P-R-1047495-8-15,P-R-1044077-26-18,P-R-1008497-12-13,P-R-87486-2-16,P-R-86300-4-56,P-R-83096-12-34,P-R-67067-6-47,gb1ee141:447804,3j0gg466:431877,resetbing:447060,c1i80862:426410,wponsat2_50:441048,jj2e6986:422781,995h3546:443806,9djb2419:437170,bfcg7827:432826,t9qranimationemailautofill:439591,70030996:441561,ebd3g171:445684,tp-long:439700,b01ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,bingchatqueries_5_impression_with_redirect_urls:403574,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h1eh131:441212,e92c6808:416905,10ad8400:434605,9d4ca945:415901,identifydb:415105,walletpswlinkupdate:438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254cf:256436,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2822300520.0000000005A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}collectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491","EdgeConfig":"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,P-R-110491-23-70,P-R-68474-9-12,P-R-61206-14-17,P-R-61153-10-15,P-R-45373-8-85,P-R-46265-41-100","EdgeDomainActions":"P-R-1093245-1-12,P-R-1037936-1-9,P-R-1024693-1-9,P-R-108604-1-34,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-463,P-D-1138318-1-3,P-D-98331-6-31","EdgeFirstRun":"P-R-1103650-18-8,P-R-1021718-2-31,P-R-116827-1-15","EdgeFirstRunConfig":"P-R-1075865-1-7","Segmentation":"P-R-1113915-25-8,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-1-3,P-R-42744-1-2"}96-12-34,P
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp, explorta.exe, 00000002.00000002.4589350907.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.000000000108B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVCh
Source: RageMP131.exe, 00000030.00000003.2463397355.0000000001092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Microsoft\Windows\Explorer\thumbcache_256.db{
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENTy
Source: aea7caadbf.exe, 00000007.00000003.2842683229.00000000059F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8Aec
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsu
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&1
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552\| UE
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdY
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Google\Chrome\User Data\Default\Visited Links
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: jok.exe, 00000020.00000002.4971718774.00000000061F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4106241586.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log}'"*
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mL
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.logxh
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0100628E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01005D0B mov eax, dword ptr fs:[00000030h]	2_2_01005D0B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01009A72 mov eax, dword ptr fs:[00000030h]	2_2_01009A72
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00226D00 mov eax, dword ptr fs:[00000030h]	7_2_00226D00
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 mov eax, dword ptr fs:[00000030h]	7_2_001F3EC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_002499F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

7_2_002499F0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FEC9CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00FEC9CC
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0100628E
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0019451D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00198A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00198A64

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: swiy[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.CreateRemoteThread(uint.MaxValue, 0u, 0u, ref Eugene.SuperBook[num], RemoteObjects.userBuffer, 0, ref WPA)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

2_2_00FD6A70

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: boredimperissvieos.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: holicisticscrarws.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: sweetsquarediaslw.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: plaintediousidowsko.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: miniaturefinerninewjs.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: zippyfinickysofwps.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: obsceneclassyjuwks.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: acceptabledcooeprs.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FC5008
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1133008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AF9008
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 457000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11CF008

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6E30 ShellExecuteA,Sleep,Sleep,__Init_thread_footer,CreateThread,Sleep,

2_2_00FD6E30

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 2c9ff67496.exe.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FECBC7 cpuid

2_2_00FECBC7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001AB1B1
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B31CA
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_001B32F3
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B33F9
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B34CF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001AB734
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_001B2B5A
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B2D5F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E06
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E51
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2EEC
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B2F77

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\MXPXCVPDVN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\UOOJJOZIRH.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\VAMYDFPUND.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100ABF2 GetSystemTimeAsFileTime,

2_2_0100ABF2

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6160 GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

2_2_00FD6160

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.amert.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.7ffd84eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fjL0EcgV6Y.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2426954025.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2083851627.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2102606370.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4574731193.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2407964114.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4573587455.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4578583730.000000006BE61000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2238783489.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239011126.0000000000E31000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2064758030.0000000003380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2245209175.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2177043340.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2084843739.0000000001DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2285975252.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2091875914.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aea7caadbf.exe, 00000007.00000002.3093234156.000000000110F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco,>
Source: RegAsm.exe, 00000019.00000002.2402362277.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletA%appdata%\Exodus\exodus.walletAkeystoreD
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\mUrODvZDsuNRBdTcXkdXtpnWOFAIBXFrVuRmIBrAF\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000020001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\1000021002\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\ProgramData\MPGPH131\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000066001\.purple\accounts.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3139553145.000000000654A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Windows Analysis Report
fjL0EcgV6Y.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	1437711
Product:	CloudBasic
Start time:	20:31:41
Start date:	07.05.2024
Sample:	fjL0EcgV6Y.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6bcab686349807f131a92c8fe7a4d736
SHA1:	487846c6d51f8df894bb174542a81fd0eb25e1ae
SHA256:	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report fjL0EcgV6Y.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
fjL0EcgV6Y.exe

Malware Threat Intel
Provided by