Edit tour

Windows Analysis Report
fjL0EcgV6Y.exe

Overview

General Information

Sample name:	fjL0EcgV6Y.exe renamed because original name is a hash value
Original sample name:	6bcab686349807f131a92c8fe7a4d736.exe
Analysis ID:	1437711
MD5:	6bcab686349807f131a92c8fe7a4d736
SHA1:	487846c6d51f8df894bb174542a81fd0eb25e1ae
SHA256:	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926
Tags:	exeRiseProStealer
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Drops script at startup location

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disables UAC (registry)

Drops script or batch files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

fjL0EcgV6Y.exe (PID: 1424 cmdline: "C:\Users\user\Desktop\fjL0EcgV6Y.exe" MD5: 6BCAB686349807F131A92C8FE7A4D736)

explorta.exe (PID: 4092 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 6BCAB686349807F131A92C8FE7A4D736)

explorta.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 6BCAB686349807F131A92C8FE7A4D736)

amert.exe (PID: 5784 cmdline: "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" MD5: F94CAD2EA8087F7452D99C57BF5C935E)

explorha.exe (PID: 3564 cmdline: "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" MD5: F94CAD2EA8087F7452D99C57BF5C935E)

aea7caadbf.exe (PID: 5424 cmdline: "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe" MD5: 9B38B95FC36FD9B330018EC18E7DEB9D)

schtasks.exe (PID: 5048 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6684 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

2c9ff67496.exe (PID: 712 cmdline: "C:\Users\user\1000021002\2c9ff67496.exe" MD5: A45EC26929E9563254198D2B394D4D17)

chrome.exe (PID: 2444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

explorta.exe (PID: 1292 cmdline: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe MD5: 6BCAB686349807F131A92C8FE7A4D736)

explorha.exe (PID: 4896 cmdline: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe MD5: F94CAD2EA8087F7452D99C57BF5C935E)

rundll32.exe (PID: 7672 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7696 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)

netsh.exe (PID: 7844 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8120 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

swiiiii.exe (PID: 7680 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe" MD5: 1C7D0F34BB1D85B5D2C01367CC8F62EF)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7972 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

jok.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe" MD5: 8510BCF5BC264C70180ABE78298E4D5B)

swiy.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe" MD5: 317465164F61FE462864A65B732CCC13)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

file300un.exe (PID: 3940 cmdline: "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" MD5: C1D583657C7FE7973F820983FD1ABB81)

powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CasPol.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

InstallUtil.exe (PID: 8048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 8116 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

gold.exe (PID: 7160 cmdline: "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe" MD5: F15A9CFA3726845017A7F91ABE0A14F7)

RegAsm.exe (PID: 6540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

MPGPH131.exe (PID: 5096 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9B38B95FC36FD9B330018EC18E7DEB9D)

MPGPH131.exe (PID: 7288 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9B38B95FC36FD9B330018EC18E7DEB9D)

aea7caadbf.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe" MD5: 9B38B95FC36FD9B330018EC18E7DEB9D)

explorta.exe (PID: 3580 cmdline: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe MD5: 6BCAB686349807F131A92C8FE7A4D736)

RageMP131.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9B38B95FC36FD9B330018EC18E7DEB9D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://49.13.229.86/c73eed764cc59dcb.php"}

Threatname: LummaC

{"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop"], "Build id": "LGNDR1--ketamine"}

Threatname: Amadey

{"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}

Threatname: RedLine

{"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
0000002C.00000002.2426954025.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2083851627.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2102606370.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.4574731193.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000003.2407964114.0000000001810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.4573587455.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000002.4578583730.000000006BE61000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000008.00000003.2238783489.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.2239011126.0000000000E31000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2064758030.0000000003380000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2245209175.0000000004860000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.2177043340.0000000004F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000002.00000003.2084843739.0000000001DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000030.00000002.3139553145.000000000654A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000002.2285975252.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000003.00000003.2091875914.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: aea7caadbf.exe PID: 5424	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: aea7caadbf.exe PID: 5424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5096	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7288	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7696	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: rundll32.exe PID: 7696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7772	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7772	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: jok.exe PID: 8040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jok.exe PID: 8040	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: aea7caadbf.exe PID: 8100	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: aea7caadbf.exe PID: 8100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3544	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3544	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: file300un.exe PID: 3940	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file300un.exe PID: 3940	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 6540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7608	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 55 entries

Unpacked PEs

Source	Rule	Description	Author
51.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
38.2.swiy.exe.3f65570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
38.2.swiy.exe.3f65570.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
41.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
41.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
32.0.jok.exe.490000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.2.rundll32.exe.6be60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.2.rundll32.exe.6be60000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
8.2.explorha.exe.d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.amert.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
43.2.file300un.exe.246c2698740.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.explorha.exe.d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
43.2.file300un.exe.246c2695d00.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
38.2.swiy.exe.3f65570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
38.2.swiy.exe.3f65570.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
41.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
41.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
23.2.rundll32.exe.7ffd84eb0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.explorta.exe.fd0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.fjL0EcgV6Y.exe.db0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.explorta.exe.fd0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
44.2.explorta.exe.fd0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 4092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aea7caadbf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe, ParentProcessId: 3940, ParentProcessName: file300un.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, ProcessId: 7616, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7696, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8120, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 4092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aea7caadbf.exe

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7696, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8120, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe, ParentProcessId: 5424, ParentProcessName: aea7caadbf.exe, ProcessCommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, ProcessId: 5048, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7696, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8120, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 8048, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7696, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 7844, ProcessName: netsh.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fjL0EcgV6Y.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe

Avira: detection malicious, Label: TR/AutoIt.mzmcv

Found malware configuration

Source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://49.13.229.86/c73eed764cc59dcb.php"}
Source: 32.0.jok.exe.490000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}
Source: 31.2.rundll32.exe.6be60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
Source: RegAsm.exe.7772.25.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop"], "Build id": "LGNDR1--ketamine"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\1000021002\2c9ff67496.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fjL0EcgV6Y.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: @@@@@@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ">>""&&VWXY
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .226622>>22lmnopq((\]^_`abcdefghijklmnopqrs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: V/yVs
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Vs\*.
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 1_to7ens]
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ,ass+ordjAss}ord
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 6=@@J@@@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: KLM0OPQ-'!#!/!#{\|}
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: }r4BO
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: !rie
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tGR>lk`5
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ReleaseDC
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Fgph@
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: E7Q)y
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 41.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: login:
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: 193.233.132.56
Source: 31.2.rundll32.exe.6be60000.0.unpack	String decryptor: /Pneh2sXQk0/index.php

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00226A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

7_2_00226A80

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://49.13.229.86/c73eed764cc59dcb.php
Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	IPs: 193.233.132.56
Source: Malware configuration extractor	URLs: 185.215.113.67:26260

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: la4RG5LhUShae5ag2mFmRdea.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: UyBcuun7lvdsc1U8v04bEvjS.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: I4LhcLo5s9gVJdPowLL5oSzp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C719B9p0FfrJspWW8NACmoaE.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: MCN1KYKWa3qY8Q8lKV2maDTO.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: bfSaxNj6PaRbQoH1x6AgorQM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: XmniUOpJt9KGe1pM4XamnqZH.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: J8btV6htPGHeL2Yg1SgCaGFn.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: 3bpaooYORdL1zGgZZfaU6raM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: M7rZI00dvqcykJFiBeuGFS7T.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: zhcyBjWDtf9NR8VTfZLAmUWa.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: GJ9O0qofKCDUPenZCkorX2YL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: iftEMaYodvzM2QCJfFMzhqiG.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: lIBiF8F27nqVHoA6YIdbqFcI.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: yqUOk3nzvlJdWid9vqJoE5bL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TPSAPLN3OIImBCuzU9uj0qm5.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: NE6WkYn9fBQoC9a4gd2yFZXX.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: x6geX33yrj2DQ3LHzZRqUqDy.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 51.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2698740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.file300un.exe.246c2695d00.0.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FDB670 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

2_2_00FDB670

Source: 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: K https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQyCImb_9cRDrKcUUsrjjBJhwC0Hyy9a0pW5vmMGs8rXmt9Y8EEn3tZ63u-DOF1VvxYXGAK-aw equals www.youtube.com (Youtube)
Source: aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&h equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQxq7WLN6IjqvXj3bSYD7y0Ga0eg2SR6TZWYx2Ejint8ILvQao0P-v2i4jfUB13lX2_DKtde7g&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-485649803%3A1715106767804271&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000003.2527725830.0000000003853000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR equals www.youtube.com (Youtube)
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account\| equals www.youtube.com (Youtube)

Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeata
Source: MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/NewB.exe~b
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/00021002
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/405117-2476756634-1003
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/B4-6C85480369C7
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/e01b58d87e8e6fbbace30804042ba5ce902415450#
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.php6.exe:Zone.Identifier
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpRp8UCqAMTqfIMjU07d3NR=a5c
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpUsers
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcoded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpded:
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpeE
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpt
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpu
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/ws
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/file300un.exetw2
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/loader-2841.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/5=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/OneDrive
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/33.132.56/ta
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Data
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php#
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D6AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php$
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php00088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php088001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php4p
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8001
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8w
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpUsers
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpd
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpdedE
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpe
Source: rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phph
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpm
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phppData
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpyu8
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe0.1
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe963
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exeeam
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
Source: RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exeoin
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeater
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/random.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sarra.exe/z=
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/alexxxxxxxx.exep
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/gold.exe~r
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/jok.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exeIHZ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiiiii.exe~HQ
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/lend/swiy.exejr
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/amert.exe
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/mine/random.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/wB.exe
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/3.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/73eed764cc59dcb.phpI
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/freebl3.dllUG
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/mozglue.dll.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/msvcp140.dllcD
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dll_
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dlll
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/nss3.dllv
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/softokn3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/sqlite3.dll=D
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/84bad7132df89fd7/vcruntime140.dllXN
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.0000000021965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php.
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.php4b
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpData
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phpbe85b06b74ee94f19768b5dcb524670
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phplKK
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phponCash
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://49.13.229.86/c73eed764cc59dcb.phps
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.221.151.47/install.exe
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.php4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nic-it.nl/games/index.phpt-
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9K
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000029.00000002.3525660003.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: aea7caadbf.exe, 00000007.00000003.2770426270.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2822300087.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2765338419.0000000005C4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000140F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api4
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiP
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/h
Source: RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/v
Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: jok.exe, 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/.
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102=Eg
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102O
Source: aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102P
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102V
Source: MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102_
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102y.co.ukd
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.000000000110C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2515455506.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102hcon
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3259535350.000000002196B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.com/980979aa037665b1a96df3348db08dc0/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firstfirecar.comL&f
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001061000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/#N
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000109A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/P
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/RE
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ocal
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000107B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.1020
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102q
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102A
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/980979aa037665b1a96df3348db08dc0/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comH
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHdk
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHvu
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4c
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: InstallUtil.exe, 00000033.00000002.4166622967.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeW
Source: explorha.exe, 00000008.00000002.4621717301.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, file300un.exe, 0000002B.00000002.3172832815.00000246D2601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp, FBI40obsDIWEYEPEV328oLc.zip.33.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT?b
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTPROCESSOR_LEVEL=6PROCES
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTh
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTl
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTrJ
Source: MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789324736.000000000110F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2821833886.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2794468417.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot07
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botK
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlaterL;
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botr
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/chrome.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: RegAsm.exe, 00000029.00000002.3009103992.000000000044B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873025945.00000000038D3000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2526350598.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.2627476418.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3903887566.0000000003876000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2787280837.0000000006026000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2779050766.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2780783642.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: 2c9ff67496.exe, 0000000B.00000002.4120102195.0000000003904000.00000004.00000020.00020000.00000000.sdmp, 2c9ff67496.exe, 0000000B.00000003.3873951464.0000000003904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountR
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2686000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4104870630.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/R
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop/api
Source: RegAsm.exe, 0000002F.00000002.2455143104.00000000014D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zippyfinickysofwps.shop:443/apilike

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_00245F70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,702B74A0,DeleteObject,DeleteObject,ReleaseDC,

7_2_00245F70

Source: 2c9ff67496.exe, 0000000B.00000003.3919375581.000000000385A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA

memstr_e2132641-c

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3C7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE3E7.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe entropy: 7.99674074491	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe entropy: 7.99595937804	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe entropy: 7.99595937804	Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: swiiiii[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiy[1].exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiy.exe.8.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

Binary is likely a compiled AutoIt script file

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ec53eccc-a
Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_167667d0-9
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2559f638-2
Source: 2c9ff67496.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d1123c48-6

PE file contains section with special chars

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Windows\Tasks\explorta.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Windows\Tasks\explorha.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012918	2_2_01012918
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0101703B	2_2_0101703B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01012480	2_2_01012480
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01016F1B	2_2_01016F1B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01018380	2_2_01018380
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_010167C9	2_2_010167C9
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01007633	2_2_01007633
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0104D250	2_2_0104D250
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A002D	7_2_001A002D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FF050	7_2_001FF050
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0020A180	7_2_0020A180
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F6330	7_2_001F6330
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FD320	7_2_001FD320
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023E3B0	7_2_0023E3B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F03C0	7_2_001F03C0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0029F480	7_2_0029F480
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00237580	7_2_00237580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F8630	7_2_001F8630
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0016B8E0	7_2_0016B8E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E1B90	7_2_001E1B90
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0025AC30	7_2_0025AC30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FAEE0	7_2_001FAEE0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023EFB0	7_2_0023EFB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3000	7_2_001F3000
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001971A0	7_2_001971A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002042A0	7_2_002042A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001A036F	7_2_001A036F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001E4560	7_2_001E4560
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0018F580	7_2_0018F580
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00203590	7_2_00203590
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A85F0	7_2_002A85F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A7690	7_2_002A7690
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00247760	7_2_00247760
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B47BF	7_2_001B47BF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019A928	7_2_0019A928
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019C960	7_2_0019C960
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001ADA86	7_2_001ADA86
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024FBA0	7_2_0024FBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0024EBA0	7_2_0024EBA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8BB0	7_2_001B8BB0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00294C70	7_2_00294C70
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A6C50	7_2_002A6C50
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A5D10	7_2_002A5D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002A1E30	7_2_002A1E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001B8E30	7_2_001B8E30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00252F30	7_2_00252F30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001FFFFF	7_2_001FFFFF

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: String function: 0017ACE0 appears 86 times

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872

Source: aea7caadbf.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: random[1].exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: MPGPH131.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: explorta.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: fjL0EcgV6Y.exe	Static PE information: Number of sections : 12 > 10
Source: RageMP131.exe.7.dr	Static PE information: Number of sections : 12 > 10

Source: file300un[1].exe.8.dr

Static PE information: No import functions for PE file found

Source: fjL0EcgV6Y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: swiiiii[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiy.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: fjL0EcgV6Y.exe	Static PE information: Section: ZLIB complexity 1.00537109375
Source: fjL0EcgV6Y.exe	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: fjL0EcgV6Y.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998032823741008
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9933230377906976
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: explorta.exe.0.dr	Static PE information: Section: .boot ZLIB complexity 0.9909273791480536
Source: explorta.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: amert[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert[1].exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: amert.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: amert.exe.2.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: random[1].exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: aea7caadbf.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: aea7caadbf.exe.2.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorha.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9982615616621984
Source: explorha.exe.6.dr	Static PE information: Section: tgqtxtnx ZLIB complexity 0.9945086732390126
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: RageMP131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: RageMP131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0000324249267578
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 1.000295928030303
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9901315789473685
Source: MPGPH131.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: MPGPH131.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@384/420@0/43

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:500:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Users\user\AppData\Local\Temp\5454e6f062

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aea7caadbf.exe, 00000007.00000003.2201507167.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3091677170.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000013.00000002.2948125671.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2273090811.0000000001310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3121223500.000000000073E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2273399495.0000000001360000.00000004.00001000.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000002.3116197583.00000000002BE000.00000040.00000001.01000000.0000000A.sdmp, aea7caadbf.exe, 00000021.00000003.2327976824.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3129483194.000000000075E000.00000040.00000001.01000000.0000001B.sdmp, RageMP131.exe, 00000030.00000003.2428078929.0000000002C10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp, RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aea7caadbf.exe, 00000007.00000003.2763923547.00000000058B6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2760437173.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2756730026.00000000058A8000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2829759297.00000000058A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2781020740.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2784972575.0000000005BD5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2771103050.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2774016505.0000000005C18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.4575050800.000002161D618000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: RegAsm.exe, 00000029.00000002.3209060575.000000001B8FA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3510041257.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: fjL0EcgV6Y.exe

ReversingLabs: Detection: 55%

Source: amert.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: aea7caadbf.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File read: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fjL0EcgV6Y.exe "C:\Users\user\Desktop\fjL0EcgV6Y.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 872
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2032,i,3277131894660533735,10710382389248485071,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wsock32.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: version.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wininet.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: slc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000021002\2c9ff67496.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: fjL0EcgV6Y.exe

Static file information: File size 1804304 > 1048576

Source: fjL0EcgV6Y.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x187c00

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2448650373.0000000003043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: rundll32.exe, 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: System.ServiceModel.pdb source: jok.exe, 00000020.00000002.4972745129.0000000006284000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000029.00000002.3608349585.000000006880F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000029.00000002.3564561340.000000006864D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000016.00000002.2430582865.0000000001537000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\j6qffzq3zw24\obj\Release\NETCrypt.pdb source: explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1000066001\Croco.pdb&[ source: swiiiii.exe, 00000016.00000002.2430582865.0000000001504000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Unpacked PE file: 6.2.amert.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 8.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 9.2.explorha.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tgqtxtnx:EW;ouenqhoa:EW;.taggant:EW;

Source: jok[1].exe.8.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_0022F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

7_2_0022F200

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: explorha.exe.6.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: amert[1].exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: NewB.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: NewB[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: swiy[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x32404
Source: alexxxxxxxx.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: cred64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: cred64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: jok[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: swiiiii.exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: sarra[1].exe.2.dr	Static PE information: real checksum: 0x25c164 should be: 0x25b84a
Source: clip64.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: install[1].exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: clip64[1].dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: amert.exe.2.dr	Static PE information: real checksum: 0x1da068 should be: 0x1d31b5
Source: jok.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: install.exe.8.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: swiiiii[1].exe.8.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name:
Source: fjL0EcgV6Y.exe	Static PE information: section name: .vm_sec
Source: fjL0EcgV6Y.exe	Static PE information: section name: .themida
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name: .vm_sec
Source: explorta.exe.0.dr	Static PE information: section name: .themida
Source: explorta.exe.0.dr	Static PE information: section name: .boot
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: .idata
Source: sarra[1].exe.2.dr	Static PE information: section name:
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa
Source: sarra[1].exe.2.dr	Static PE information: section name: qliweygd
Source: sarra[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: .idata
Source: amert[1].exe.2.dr	Static PE information: section name:
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert[1].exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert[1].exe.2.dr	Static PE information: section name: .taggant
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: .idata
Source: amert.exe.2.dr	Static PE information: section name:
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx
Source: amert.exe.2.dr	Static PE information: section name: ouenqhoa
Source: amert.exe.2.dr	Static PE information: section name: .taggant
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .vm_sec
Source: random[1].exe.2.dr	Static PE information: section name: .themida
Source: random[1].exe.2.dr	Static PE information: section name: .boot
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name:
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .vm_sec
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .themida
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: .idata
Source: explorha.exe.6.dr	Static PE information: section name:
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx
Source: explorha.exe.6.dr	Static PE information: section name: ouenqhoa
Source: explorha.exe.6.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.7.dr	Static PE information: section name: .vm_sec
Source: RageMP131.exe.7.dr	Static PE information: section name: .themida
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name:
Source: MPGPH131.exe.7.dr	Static PE information: section name: .vm_sec
Source: MPGPH131.exe.7.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot
Source: alexxxxxxxx[1].exe.8.dr	Static PE information: section name: .00cfg
Source: alexxxxxxxx.exe.8.dr	Static PE information: section name: .00cfg
Source: cred64[1].dll.8.dr	Static PE information: section name: _RDATA
Source: cred64.dll.8.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FED10C push ecx; ret	2_2_00FED11F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push ebp; mov dword ptr [esp], edx	7_2_005E1C33
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 7ACA4E51h; mov dword ptr [esp], ecx	7_2_005E1D10
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0050931A push 3065C6BDh; mov dword ptr [esp], esp	7_2_005E1D18
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00193F59 push ecx; ret	7_2_00193F6C

Source: fjL0EcgV6Y.exe	Static PE information: section name: entropy: 7.9986498410293665
Source: fjL0EcgV6Y.exe	Static PE information: section name: .boot entropy: 7.956255917420769
Source: explorta.exe.0.dr	Static PE information: section name: entropy: 7.9986498410293665
Source: explorta.exe.0.dr	Static PE information: section name: .boot entropy: 7.956255917420769
Source: sarra[1].exe.2.dr	Static PE information: section name: entropy: 7.924648547837475
Source: sarra[1].exe.2.dr	Static PE information: section name: pebjcioa entropy: 7.9321971040715535
Source: amert[1].exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert[1].exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: amert.exe.2.dr	Static PE information: section name: entropy: 7.984896223453351
Source: amert.exe.2.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: random[1].exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: aea7caadbf.exe.2.dr	Static PE information: section name: entropy: 7.999592556641182
Source: aea7caadbf.exe.2.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: explorha.exe.6.dr	Static PE information: section name: entropy: 7.984896223453351
Source: explorha.exe.6.dr	Static PE information: section name: tgqtxtnx entropy: 7.953308816348314
Source: RageMP131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: RageMP131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: MPGPH131.exe.7.dr	Static PE information: section name: entropy: 7.999592556641182
Source: MPGPH131.exe.7.dr	Static PE information: section name: .boot entropy: 7.955099922607866
Source: swiiiii[1].exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.8.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiy[1].exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696
Source: swiy.exe.8.dr	Static PE information: section name: .text entropy: 7.985989435134696

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\1000021002\2c9ff67496.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amert[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiy[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe

File created: C:\Windows\Tasks\explorta.job

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STCrhsi84NOAwKBL55hj4E9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAslh7vC2xygVyjix2LVTyPC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DW6Gc6MAdQrxCFHJUHs17zd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9pKFX60prYFxYuSKChGpHnm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pe45LiQAO3PHwvHnhaBGnATu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jzizZsyjVCfkdBoHaY04ImfY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54jPFh9oLJVW9bkfFqvuPgKg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xVyc1vIYuCdL1tewhYCziFVg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrXTpI9TA9I1c40N4WaBDHUx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y1TuohWqsbj6qW86KEnlWYJT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPpcD7tAr9JffyluVr9Dqnzg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\knu0oyMuRWGGQcesFzGIw2Wt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62G1Wdx3GqQR8gREza0Qjrhd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\te7OtjZEJK2Mk7mXcL1FVp1t.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceU4OQADnN3GJaQwan1vgjT9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pG2TxiBh4zhTCyAEyXazkYkx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVnNMQ4xWRaJB6uq68mTJkZN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAI2Xs35kAr2PgQ3tHk3TkCy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTZFaAwxnpP4x7n3ZxQtmcV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7A3wvEg38KHuYPHbeRkE6OY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egIuyYL0XWot1sQ1CKEo0yi2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XEOnGkLosqdtoEbIuQ6cBGC6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WH9sbyUogprfrhqfOzjOuvhY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7xqIRWplklsXiVj9AJQsuokd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XRyJ5AMIyBRzhQ2TMbTCcnl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ySmmNhEhk7waj4UzYYFLdjJ8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RV9AxJTOIoBEpSVL349oMZiu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hLGrDTl5wAe0ZCERmdwmmvPw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZUVBQJWmw30MkYm7XlKt7AGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiP2ZriYOwMApD298FYD4Lwu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LsPvdG3dCcHmKoaWKVaA23HW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UXpk6OrC4BILh0oiUWoQz54b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTIhxF5q0Qg6L1VWLqKGtCG4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qD3SrN8S7WnRLCMKBnzLsK1O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IrkwNHffMo4Eka7tqdiM1FpJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h7tMLzMWAx4CTbi9OWkNEVuS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o20nv1tLMaTOCdndUzZLyXfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yFtZUbxQWpIY2HaeXL30Ywxf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAclRwykwhW5w1I14vXutIP8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWf68SrrVhigcjAkioMoDc9M.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nA8bY9X2FgzDvoAfS8gVQ1wr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oo2nklTvOQFEbMqjuAmf1Hnt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwizdCQzMqPRubh3w9ge1vnD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6imaeIZVrnGARWYKvSqZT3zH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqU1ZUdZjjkc4TpP3qVRVTsG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5H58EEc8NvQUOi24FS2QU9Z.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM4p86qq1bs1OanP3F710dRm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y29RiGWpm89ujqyBR956QKV7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqQPiQHZVdsiyiCJe2b49hD1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoHZgMdmi98eGRLir19wIU3i.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q2MHhQs8ujbyxQ9nIy0rUSZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nCXxdPnLk5JcX0DaVpRhjv8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4jfLDdZXDrYucdBARadSTAAL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYpNAXn4iUQjB76qpm9rHvvP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvisCbG5r0sGPjOu6iOuXUA7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F82kF5QJtwswX0bD7pirl83T.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sXlOTcmnXvKeyfdiBhcw4ND.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmRS6Y6tZZ9BPfv48PJiBemY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bHMeT4pgXesEvyW5uPXeXrhV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71unQMWeg7PYGrwROGwHtyF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FUeo6cPMtQcyTnVLTt6Jjsg6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YopaqCHxlkH079wqgDq82QyC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaH3os3XyhQRwzfrIoMsgfOT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gTBwdxjcV58Ds0EuIxEHQuyT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sq2vrp3GOThXviJiP5PWUXgP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m7rmoohzeMWquAaKzkk44dVj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvqSJt3tl4h6cFLkNI7pBJj3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6GqiHIfrVXBSZnggvuCnsYvX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IjO2xpTHgE815NSQlystxL8c.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEuXRjfzeiH8g0YM0L56zBMH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c34MmnctgAY66QOjPh1MsOwS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FOHad4INGlVgGUzrXOJHgTLE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTd9jVATVG0lNsWEWwXEZFpl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zHj24vPtn17meARVbAfrBNWr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5plmIsCmu1c3pDoA2jFr0W4n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n4riRFZEfbyVOzVYofZBOrtB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwiFh4sCwLoSouuc0prFCqtK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ukSLyv62ACmzThXwhB3niDP7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5b1TWIrVUYsAwT3lLhmzDTv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnmqTLPgvl17VM6aTOSeVWAl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGxF8QiZwcaGkQdKkNxhjtKC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DaF2Olxq73DrcM5XABIaSDSs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0AhsRiT9HXP8nUVjVsC7lnJ0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gJg50l6myURZCwtjufWOVpuQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r2YWMyz1YP2FRpENqKhaRZyt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QdpodRlWnGVsi1g0pQlfyjkP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cybr2MFwU04XAQwxPolKMqQO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z40K3kSz8nbFzfavMmb2eQ1n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ud84rpY6iPONwnxDRebDCuje.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDPvMcSCVReoFfNwWf9VtsJX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riJi6LbnhEUeeWoDdafUeGUh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cx4e8RO84usGaXQVOUIGUHN7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMtjKcNXah8bWY1GB43Z2Nvo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twq4PH3MymMUgP37K2gZssJh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNNHEyhgRrOs4sf0Abdt3Wtz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dpHGv1tNgh6UmtLh4Mqkjgjv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hSCCnQw7GVDGmVOXtfvP2hU8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jUWcmuyDRAqLaCBd9Dir7NUA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZR34XbNproylHK1OhCoumicm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFmSJTQNwHQpsEsQ8FhGjVhf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCGrdnJ1qQVZI63zkxF23uXt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iL5NcfykjvYjelixOHPRaZHt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6FszJF4Jwp3QxyxLpDvQzAl2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dx9XlsFGiH3rpffDOMJTlVCT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GVdArWrvqFumsoLu9aCMU9n.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L27QyUwBuL8LDeoeiTYngDXN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zf4TbZ9xgzGXCn5nRSi3ASnS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHfwD6qh2lBvC75Opce7fium.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jk5Ed8sbV1MdGoz8FX4N9Hp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdAu1py9oGqttgGdYGDbSYEP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGCuCvTDug6xrGNCcg8Zzr4Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87Myp1xPYg474LfEvPhin1sM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ok8j6Gi15r9nn69GkEMiN0f.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvTF5Stn8q8opEUq3BUf9Rv0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLSA4x4asjbGy8gzHU30TYG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WNOBUZbm9yxe1iRKWoynoUIy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vo4ffLpBFZ5sdbnp27l8y074.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kPJfV3ZQezcsvjAhmetWY8Y8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xP7yTfvHKKcmGH9LL4Y0EV5l.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCcYLhQDhaKCD8C2TL308Ccy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4HuOT9Y3iOProWVE46tkp5iF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qIV5IkUFJT6RzFUeYYNriiUV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hPV8AWYTryNpE1mC5rBtXit0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\liIn7TjvcDqHfsnz7CkJCEKM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYOpd6e3YCsTXY2lWZg8CTug.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WDgC9U0r7503UsfGkF2RRn3x.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiaMMQARpLPsDSLsvQ9qjDcs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tF8eEwyMMvkaTDsee1xL3HLS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdSL4NdEKZVGIWPsxIYWdkjz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brLaHNHGLFYzGG6LomG1B4Tq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rZgSTCkIvN8yd8LayN7at2rk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9lhml6yObMMtVfHgzhCEXKiW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TQ7Xj8C54JgaNX9piUAHzDC2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDZBDFrQOFQSKgaXcgr0m0SH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIVjzIwHnUmpEmAuV0FqOhZ9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLDKPYpbZFVU5NBr5mETep15.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsnDe5krusoqelWGCXOp3Ese.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80Iomx6dMXCqhiHR5OZ8eWyc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iMvChnakRPEkaD9Vn8Vadnrf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46J92a3ClQAsYFD6LVy9eCdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stm7mydXoCajWO8whM7xdLvc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Sdb7d8DprhURPQDGAKSK94j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1pHRZ1WVTkwE1Jqqj49K6TVM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wcn2wv9yjThIe2YI0pq7eSRN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3HBynVapH8nz8IySMCRtzjIo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lbsaepAiLNJYR1eyWB3aJPen.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98JvCEwV6EjOk0MbNLLOtSSq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rqxMDrzhq4w4Wyoz26je6XFO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YZwOWglUJKZNfk0Tr6ufVqnF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9oim7S2Do6aMr062mmsJ8og6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1OUEB4W7HwU4gIL2MQvEH1zP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7jzqF6B7KYhIwop5Du95n6t0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0g2ftn8MzMEKjC1SL91RWtO0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spQnYLsoZn8FuPq7Rq7CHj3C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90sjRPCwDoM2H2uL8wp1VHna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5IpslyurCImJpLxB2skJQKtk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dMlEgFklgLyUXbgOt2CQSyeo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ouwt4wjaBzBbldWsocbACzsI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgnCc8y5AIKgge6nJLgAKezu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ydL2O2Rp2S7GYzpUl5sssvWL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53G4C7fkisr75N0k0Yr3sc1j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YhaxdmO6NS59ZyhzMB2qT76V.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BcXOICI69P2jzAegsKAB9xIZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cEElHYdot58DykVLbQVOezn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yEv7UzOa4D2SQVTKdy0KZBrz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD86VQ7j1YxDcHW3sRNL2keZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0GMv9jZTcSw3m2Zzo1oAc5Kp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMSbk05eVuh0cDCaZ05cqYYm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LCtB7VLSyqko0a8UPu9cDXNs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5eoWgqllqSYAN6GnQgnRWOyK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pe2zVb5Lx59tdswPSzNRCctx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8tScOKc2FhcNTydZgmwXpKG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MF1n1MMRavEUlAvxHRMPbdvM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkzNDwjKmksIzh7O57WF1ALJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyAKpWmpR7jV1gZPnSl06Cdn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njwwrVvaL3wGhJS4ZxillTvY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiAPJYfgX9RwDDruEp6r5bnw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgz7tPPFnFUHpWfqwocbe2NH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDgLEqYP2vYDLgaMARikOx9C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ijWfD0OEdNC6VkDu24y3Rne.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zRfMhMIC0AjDney9eMJdTjf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DyQcp4eyTi30uvGlVwNKPZWh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\223Wr2Fp2qzADNFnnB7poHrJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FXCwMu1qq8h2DZK7BzuD0YTA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSL5hB44p9iAfNXRGSPd5HdW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMWAVeXs6h4p9OUG1VPvRvUf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g3U1TJxNY6EWdrE5XnfwjDNZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvsAqBcs14MSMj5n8WcpjIQJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jyNSGsdxxLbtbZT1tgJZbFBN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWTvMja1w8IFflYe4c1dWcn2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tzTXHdO2770KAyXRmuUqLq0v.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBifmCHAE32dJaBTudWeQeic.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p1DEZhGyn4e3rEGBiwRbbVS5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RO0wJRSV6jerStwWPZ7Qg7Es.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opa6VpUVU4ItMsikkorVFHGh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qMiyYzXywQQ6HUsYsiYCgMTf.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0pgNNYepfpd1ep72J4H70XqG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmYshULAdXuSoLNh9KiorD58.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UhNz9jeL1xn8sCR8SjowJpOc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRUjFbJoTvrGefLBcITlKfd9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlsvkS6ByVyXxkmQMdGfEcfr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cyLJ3m7ZPJSLd3ZuRVxbnE3s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isKrb1wLEweQlNV1B0xqzvxk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4tAPySWDAPFfsDLEdFtyXetO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMxR9o5aAvZMrjCQUhD9HCL1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9PLm3CoXN6343EaXDXwAfru9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ZzCXoj423gmjbO1IwxWNDHP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tg5rCqW3mqvoxBUo1G1Of67b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqr25Evsg9WOTrsZ0VQQcZl8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mazxvv4LSujOl8iDjugFvUbN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lin1MFBl3hwvuCO3b41Oausr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z7n7OAst48KiwRxw3CThSB7H.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beTl29zkSOhao4hDAQ3xc2IX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2G0bqE887F5d6XIWH4lyRCS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BPtxlAAYArafirsKvhTulnE8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fe7rLLgjrc7oFSlDzs5a0QrD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6MpvBSYy7QSy59FE2mASGDR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0YyyGkClVNh7AiOB60bb5xx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEGRZKNIwf60Lgl1MBoJQ0ZR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvvH2hK6rryg4Cg1rwqWElGj.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LisYZCjcRKMOA9tgqlvWBYFX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CNfd5FiEPcxMOKTNBgdpS1PY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UOqMHoQ6sJWPszKy9pdAJESM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgNmv2f3PC4ea6prF24Y1Q3O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e51Og1eFOzino0O7DaaBhKzx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmJNQ79PtAIeJXJjb4pH4xzP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flZPnObYdJxjXam4b7Afu6fW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uf6B5fw4fXszXeBdZJje8qoI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5mRkxrSVZ8mQXdnkR0bcs9BN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2I3VgiKnHXlxEW8sZRfqj3o.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTUA6hJRQqZfaaHxpQsjvDGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCgckEGm4PGsBp4hNII9RWCb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUgvnBNq9F0hYR8cgb1rDE7N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Se1CGrooWTbosMPUIM3bKpgi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCWH8TaW9IQZKg5DQkHbDqxJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuvvB4T4Z5K1LwZb28zOvoO7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDlZpZ3M3en2qQO1cfoPA1I1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whVnM9rGJ13QjhGc1Rt16wa2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ypAzZbAHcREafMGRflK8FqL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6VNYKWyURTETEJdXck74Vgpa.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FFTGVMEfsqk6j5oSz6zolzfL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ly548Y6PjIWHZ05puZx1i8N8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bixO5L74B9ixnhuSceKTzqO3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZlyNt4NgQIAJoJxWDPAmAsPv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ok6RlED8S3NTX5X3U5Jy2kCe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02yWcihZkPqdFfZMeYSvhncc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NT0kx2lWWZ91znDneizhQaHo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IRxeCoXJY6JkXTxGsdt0TUFl.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sLBemkmbPAWlcMw9HPzyIWd1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L2O86RPVrJVS3laNoEySAhRr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sUXJBtnLfTGR9tyzbLiQcmcD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jljpEbOjbYACwFqIBm1kiJGi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2XUzlA8k5WK5zlvt3tTJwImN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zFgbHWM50vrkEjI3vzuyBIW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dL9MJob9nWX8FZAYyWD9Ut4N.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBriyiDzNpHyax19IH3WQHvV.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLoIrKhz34gPeslplYeXvTYE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\maiZkA6ZHQSr4zLaqV7nMF8g.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CK8mgIhAZK0QzLNTNZuSbUoH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zbz0wpakMIyBfTSoyYM85bCt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVh0F5xHsjXT8AKR9GZ1WCxY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N5je2TuP0NZeaqaqdxYy85NF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKZYxLRDuoUz2qJHflbvTYna.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F4jGAqx0AlFkEFV9d1HGs00R.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AR4dLubUhSpG7yYwe01z0wt1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OzzXoIKlVGWCCm8n1jA0R77y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44FJzHoQ1A4IsV1f1ac9TihC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A7fQLTArS05zuFFcZCiF4aV9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U9kQAbIjmfH5gnYDkkcr5N0B.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxSMT75ZK9xqII2EvqG5wUyR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGgboOj6M0Japikm1aF93yr1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nVhAOQdd2NnYXtsOhH2CoEIv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft0WOttlZlpKpMdZSnKtpGBX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TqqykfPo7pEIpGfLS98j6JLn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvWH6jTdmaobHQpeKa8QMfmF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEi7QcndVjucI1YTwi4LH8yG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOi4FRPVOEbPzOmbwntlzt2Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\euZx2LVZcKmVfRuQHSHBly5W.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K6ER7CKyfGlYZfnc9LFL2pPe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dSTotanv7U42nerMY8Xbncl5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NHebJu3zFkPDrak3auvIjrSB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1zoVu5VJKkUoNKt6ZUPBgGLd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iW32fBwuXqTRXkwTTV9tnE4Y.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXVNvm9czP30VfGRKOb8NQ99.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gkdNInesmzVzVnL58vVmpOC0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElwTXFgYpDJPq6ia2zSutSfk.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50nriTd7pYXWjJrxKQVsJbjK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DjAynFk5t26gdRT9HQ6r6Ha4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zvydu6CveySMcgpTmnCqZHFi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0mI3ziaaiGwEZw2JcH1QmfK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERJjdWXBMC4KwkZbMy3aNp7s.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4VWKGnOZbSrWJcYB0IuLOHh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m47NhrS8mJ7FJOyuNP7YLcDb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h131SDDbHMqABr109sBD1eGu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OltYTqremlJnfAVhyJtnVrc.bat

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file300un.exe PID: 3940, type: MEMORYSTR

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Stalling execution: Execution stalls by calling Sleep

graph_7-46067

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F47A second address: E9F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: E9F495 second address: E9F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102050F second address: 102052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102052C second address: 1020539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1020539 second address: 102053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102053E second address: 102054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102054C second address: 102055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F56D second address: 101F5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101F9E7 second address: 101FA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA00 second address: 101FA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA0A second address: 101FA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FA23 second address: 101FA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101FBBC second address: 101FBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AA second address: 10232AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232AE second address: 10232F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10232F9 second address: 1023308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023308 second address: 102330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102330D second address: 102336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102336D second address: 1023392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023392 second address: 1023398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023398 second address: 10233BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10233BC second address: 1023410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023410 second address: 1023416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023416 second address: 102341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102341B second address: 102342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102345F second address: 10234B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234B0 second address: 10234C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10234C7 second address: 10234CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10235CD second address: 102362A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007FCC1D4AC756h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007FCC1D4AC760h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jng 00007FCC1D4AC756h 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 jnp 00007FCC1D4AC75Ah 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 pop edx 0x00000032 pop eax 0x00000033 add dword ptr [ebp+122D3294h], ecx 0x00000039 lea ebx, dword ptr [ebp+1245814Ah] 0x0000003f mov esi, dword ptr [ebp+122D397Ah] 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push esi 0x0000004b pop esi 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102362A second address: 1023630 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023748 second address: 1023752 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1023752 second address: 102377D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jns 00007FCC1D4AF187h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 102377D second address: 1023810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007FCC1D4AC756h 0x0000000c jnl 00007FCC1D4AC756h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007FCC1D4AC762h 0x0000001d pop eax 0x0000001e mov ch, al 0x00000020 lea ebx, dword ptr [ebp+12458155h] 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FCC1D4AC758h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov cl, bh 0x00000042 add dword ptr [ebp+122D27A1h], eax 0x00000048 xchg eax, ebx 0x00000049 jns 00007FCC1D4AC76Ah 0x0000004f jng 00007FCC1D4AC764h 0x00000055 jmp 00007FCC1D4AC75Eh 0x0000005a push eax 0x0000005b pushad 0x0000005c jne 00007FCC1D4AC766h 0x00000062 pushad 0x00000063 push edx 0x00000064 pop edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042922 second address: 1042926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042926 second address: 104293D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104293D second address: 1042947 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042947 second address: 1042958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCC1D4AC75Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042958 second address: 1042970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007FCC1D4AF17Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042970 second address: 1042976 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF0 second address: 1042DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042DF6 second address: 1042DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1042F46 second address: 1042F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 popad 0x00000011 pushad 0x00000012 jnc 00007FCC1D4AF176h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433C7 second address: 10433D9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433D9 second address: 10433DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10433DF second address: 1043428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FCC1D4AC772h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007FCC1D4AC756h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AC75Fh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043428 second address: 104342C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1043593 second address: 10435B9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC764h 0x0000000f jne 00007FCC1D4AC75Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044310 second address: 1044314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1044314 second address: 104431E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 104431E second address: 1044325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A3E second address: 1012A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1012A42 second address: 1012A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FCC1D4AF176h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 jl 00007FCC1D4AF176h 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FCC1D4AF181h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10495E6 second address: 10495EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049C90 second address: 1049CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CC5 second address: 1049CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jp 00007FCC1D4AC75Ah 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049CE1 second address: 1049CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048453 second address: 1048464 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1048464 second address: 1048468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E4D second address: 1049E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1049E54 second address: 1049E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050652 second address: 1050661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105092E second address: 1050934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1050934 second address: 105094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC766h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105094E second address: 1050952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10537B3 second address: 10537B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053CE2 second address: 1053CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1053DC4 second address: 1053DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10544B6 second address: 10544C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10548B2 second address: 10548B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558B9 second address: 10558BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558BD second address: 10558C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10558C1 second address: 10558E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF188h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056905 second address: 105691B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FCC1D4AC75Ch 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1057356 second address: 105735C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105735C second address: 1057360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058744 second address: 105874E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1058516 second address: 105851A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10591DB second address: 10591DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105C41C second address: 105C420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105D3F2 second address: 105D3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E32B second address: 105E335 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E335 second address: 105E33A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F32F second address: 105F333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5AB second address: 105E5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105E5B1 second address: 105E5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F46C second address: 105F471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F471 second address: 105F477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F536 second address: 105F54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F54B second address: 105F551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105F551 second address: 105F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1063E55 second address: 1063E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AC769h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE3 second address: 1064EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1064EE7 second address: 1064EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066CA1 second address: 1066D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FCC1D4AF178h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov bl, al 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FCC1D4AF178h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov di, si 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AF183h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D12 second address: 1066D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066D18 second address: 1066D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066E83 second address: 1066F3D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC76Dh 0x00000008 jmp 00007FCC1D4AC767h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 je 00007FCC1D4AC75Ch 0x00000018 or dword ptr [ebp+122D1B32h], ebx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FCC1D4AC758h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f jmp 00007FCC1D4AC75Ah 0x00000044 mov edi, dword ptr [ebp+122D394Eh] 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 jmp 00007FCC1D4AC764h 0x00000056 mov eax, dword ptr [ebp+122D13E9h] 0x0000005c movzx edi, bx 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push ebp 0x00000064 call 00007FCC1D4AC758h 0x00000069 pop ebp 0x0000006a mov dword ptr [esp+04h], ebp 0x0000006e add dword ptr [esp+04h], 00000016h 0x00000076 inc ebp 0x00000077 push ebp 0x00000078 ret 0x00000079 pop ebp 0x0000007a ret 0x0000007b mov ebx, 229C56CCh 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 pushad 0x00000085 popad 0x00000086 pop eax 0x00000087 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1068F32 second address: 1068F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F3D second address: 1066F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FCC1D4AC75Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DBC second address: 1069DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FCC1D4AF188h 0x00000012 jmp 00007FCC1D4AF182h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1066F67 second address: 1066F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1069DF0 second address: 1069DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD6C second address: 106BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B04F second address: 106B053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BD70 second address: 106BDC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCC1D4AC75Fh 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D1A1Fh], ebx 0x00000014 push 00000000h 0x00000016 movzx edi, di 0x00000019 push 00000000h 0x0000001b mov edi, ecx 0x0000001d xchg eax, esi 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FCC1D4AC765h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B053 second address: 106B059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106BDC0 second address: 106BDC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106B059 second address: 106B05E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106E776 second address: 106E77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 106CF28 second address: 106CF2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 101B162 second address: 101B167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758C6 second address: 10758CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758CA second address: 10758D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D0 second address: 10758D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10758D5 second address: 10758E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnp 00007FCC1D4AC756h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD8E second address: 107FD94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD94 second address: 107FD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9A second address: 107FD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FD9E second address: 107FDAD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 107FF07 second address: 107FF17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AF17Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10801C7 second address: 10801E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FCC1D4AC756h 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007FCC1D4AC756h 0x00000015 popad 0x00000016 push ecx 0x00000017 ja 00007FCC1D4AC756h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108062B second address: 1080638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10807C4 second address: 10807F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 jmp 00007FCC1D4AC765h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108092E second address: 1080932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080932 second address: 108093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108093B second address: 108095C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 pop esi 0x0000000a jno 00007FCC1D4AF17Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108095C second address: 1080960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1080960 second address: 1080986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FCC1D4AF196h 0x0000000d pushad 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10850A6 second address: 10850AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10851FD second address: 1085203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085203 second address: 108520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108520C second address: 1085212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108536D second address: 1085382 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCC1D4AC75Fh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856CF second address: 10856DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856DB second address: 10856E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856E3 second address: 10856EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856EB second address: 10856F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10856F5 second address: 10856FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DC9 second address: 1084DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1084DCD second address: 1084DDC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085B38 second address: 1085B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C7B second address: 1085C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF182h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085C96 second address: 1085CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CA5 second address: 1085CB6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AF178h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1085CB6 second address: 1085CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BDC1 second address: 108BDE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A859 second address: 108A864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108A864 second address: 108A869 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB0 second address: 108ADB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADB4 second address: 108ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108ADC3 second address: 108ADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B088 second address: 108B08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B08C second address: 108B092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B092 second address: 108B09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1F6 second address: 108B1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B1FA second address: 108B208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FCC1D4AF176h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B208 second address: 108B226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f jmp 00007FCC1D4AC75Ah 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B226 second address: 108B236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38B second address: 108B38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B38F second address: 108B399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B399 second address: 108B39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B39F second address: 108B3A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3A9 second address: 108B3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108B3AF second address: 108B3B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC48 second address: 108BC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC75Bh 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007FCC1D4AC756h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 108BC65 second address: 108BC6F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AF17Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052171 second address: 1036DB3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCC1D4AC765h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e adc cx, 0CA7h 0x00000013 call dword ptr [ebp+122D2E90h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCC1D4AC75Fh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052383 second address: 1052393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FCC1D4AF178h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052393 second address: 1052399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105261D second address: 1052622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052622 second address: 1052628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052628 second address: 105262C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105262C second address: 1052630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052721 second address: 1052725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052725 second address: 105272B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105272B second address: 1052731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10527E2 second address: 105281A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FCC1D4AC769h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FCC1D4AC758h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105281A second address: 105287E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AF178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f jnl 00007FCC1D4AF180h 0x00000015 pop eax 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FCC1D4AF178h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jc 00007FCC1D4AF17Dh 0x00000037 jnp 00007FCC1D4AF177h 0x0000003d push FB3ACA71h 0x00000042 pushad 0x00000043 push esi 0x00000044 jns 00007FCC1D4AF176h 0x0000004a pop esi 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10529AE second address: 10529C3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052B0C second address: 1052B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052D65 second address: 1052D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 105349B second address: 10534A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109289C second address: 10928D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCC1D4AC769h 0x0000000b jne 00007FCC1D4AC756h 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007FCC1D4AC75Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D0 second address: 10928D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928D9 second address: 10928DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928DD second address: 10928E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928E8 second address: 10928F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10928F3 second address: 1092911 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCC1D4AF183h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092BAF second address: 1092BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092CFF second address: 1092D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D07 second address: 1092D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1A second address: 1092D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1092D1E second address: 1092D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1093046 second address: 109304B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1098993 second address: 109899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109899A second address: 10989AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10989AD second address: 10989B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109ACCA second address: 109ACD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109A9D3 second address: 109A9DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCCC second address: 109DCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DCD0 second address: 109DCD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D720 second address: 109D72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FCC1D4AF176h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D72E second address: 109D732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D87F second address: 109D883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D883 second address: 109D8A3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A3 second address: 109D9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9A9 second address: 109D9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9B4 second address: 109D9F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jns 00007FCC1D4AF176h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 ja 00007FCC1D4AF183h 0x00000019 jmp 00007FCC1D4AF17Dh 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007FCC1D4AF17Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F1 second address: 109D9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109D9F8 second address: 109DA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 109DA01 second address: 109DA1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AC767h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160CF second address: 10160D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160D3 second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 js 00007FCC1D4AC756h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FCC1D4AC75Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A462A second address: 10A4636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCC1D4AF176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4636 second address: 10A4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FCC1D4AC756h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10160FC second address: 1016100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A493B second address: 10A494F instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 je 00007FCC1D4AC756h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4AD2 second address: 10A4AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E16 second address: 10A4E1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E1C second address: 10A4E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E22 second address: 10A4E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A4E28 second address: 10A4E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1052F57 second address: 1052F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A511E second address: 10A512E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A512E second address: 10A5134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A5134 second address: 10A514D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10A514D second address: 10A5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACE4 second address: 10AACEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AACEA second address: 10AACEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA593 second address: 10AA59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA840 second address: 10AA848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA848 second address: 10AA87C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b jns 00007FCC1D4AF176h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA87C second address: 10AA888 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCC1D4AC756h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AA888 second address: 10AA88D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2D9 second address: 10AD2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2DD second address: 10AD2E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2E7 second address: 10AD2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2ED second address: 10AD2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD2F1 second address: 10AD2FF instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD459 second address: 10AD47F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jl 00007FCC1D4AF176h 0x00000013 pop edx 0x00000014 pushad 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD47F second address: 10AD489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AD489 second address: 10AD4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 je 00007FCC1D4AF176h 0x0000000f popad 0x00000010 jnl 00007FCC1D4AF17Eh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF239 second address: 10AF23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10AF23F second address: 10AF263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c jno 00007FCC1D4AF176h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnl 00007FCC1D4AF176h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0865 second address: 10B0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0869 second address: 10B0876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B0876 second address: 10B087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6331 second address: 10B6341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jnc 00007FCC1D4AF176h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10B6B85 second address: 10B6BAD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCC1D4AC75Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FCC1D4AC75Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0686 second address: 10C068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AA8 second address: 10C0AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0AAE second address: 10C0ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FCC1D4AF187h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0D9B second address: 10C0DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA1 second address: 10C0DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0DA7 second address: 10C0DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0EFC second address: 10C0F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C0F10 second address: 10C0F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C11A6 second address: 10C11AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8606 second address: 10C8612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FCC1D4AC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8612 second address: 10C8618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8618 second address: 10C861E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C861E second address: 10C8624 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A6B second address: 10C8A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8A71 second address: 10C8A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C8E9D second address: 10C8EB3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCC1D4AC75Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FCC1D4AC756h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C901D second address: 10C9021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E99 second address: 10C9E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9E9F second address: 10C9EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C9EA5 second address: 10C9EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D3F second address: 10C7D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D45 second address: 10C7D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D49 second address: 10C7D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10C7D4D second address: 10C7D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF307 second address: 10DF30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DF30F second address: 10DF34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC763h 0x00000009 popad 0x0000000a jmp 00007FCC1D4AC762h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jne 00007FCC1D4AC756h 0x00000019 jno 00007FCC1D4AC756h 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEDB second address: 10DEEE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEEE1 second address: 10DEF0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FCC1D4AC756h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCC1D4AC75Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Fh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10DEF0E second address: 10DEF2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A28 second address: 10E2A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E2A2C second address: 10E2A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10E23ED second address: 10E2403 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FCC1D4AC75Ah 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10EFF9E second address: 10EFFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8114 second address: 10F8131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC769h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8131 second address: 10F8137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F8594 second address: 10F8598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F885A second address: 10F88A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FCC1D4AF195h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AF17Bh 0x0000001a jp 00007FCC1D4AF17Eh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F88A3 second address: 10F88A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93A2 second address: 10F93BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF189h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10F93BF second address: 10F93C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA51 second address: 10FBA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA5B second address: 10FBA84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 jmp 00007FCC1D4AC764h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 10FBA84 second address: 10FBA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F724 second address: 111F736 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FCC1D4AC75Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F736 second address: 111F765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jbe 00007FCC1D4AF176h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FCC1D4AF176h 0x0000001c jmp 00007FCC1D4AF183h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 111F765 second address: 111F772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113558F second address: 113559A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113559A second address: 113559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113A0C9 second address: 113A0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FBB second address: 1138FE3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AC768h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1138FE3 second address: 1138FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113911E second address: 1139128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCC1D4AC756h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 11393CD second address: 11393D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139890 second address: 11398AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA0 second address: 1139CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1139CA6 second address: 1139CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113B6FF second address: 113B708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E307 second address: 113E30D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3A6 second address: 113E3FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122DBB12h], ecx 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FCC1D4AF178h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e sub edx, dword ptr [ebp+122D2596h] 0x00000034 mov dx, cx 0x00000037 call 00007FCC1D4AF179h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push edi 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E3FD second address: 113E407 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E407 second address: 113E443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007FCC1D4AF181h 0x00000011 pop esi 0x00000012 jc 00007FCC1D4AF178h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E443 second address: 113E447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E6E1 second address: 113E714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCC1D4AF180h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FCC1D4AF188h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E714 second address: 113E71E instructions: 0x00000000 rdtsc 0x00000002 js 00007FCC1D4AC75Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E71E second address: 113E74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D19CAh], esi 0x0000000d push dword ptr [ebp+122D1C7Eh] 0x00000013 mov dx, 35B3h 0x00000017 mov edx, dword ptr [ebp+124AAEE2h] 0x0000001d push E352FBC6h 0x00000022 jc 00007FCC1D4AF184h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 113E74A second address: 113E74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114182A second address: 1141831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114134B second address: 1141356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1141356 second address: 114135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114135A second address: 114137A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCC1D4AC756h 0x00000008 jmp 00007FCC1D4AC766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 114137A second address: 114137F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D3B second address: 5120D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D41 second address: 5120D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D45 second address: 5120D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FCC1D4AC75Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D5D second address: 5120D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D61 second address: 5120D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D71 second address: 5120D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120D80 second address: 5120DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E4h 0x00000005 call 00007FCC1D4AC760h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 push eax 0x00000014 push edx 0x00000015 mov bh, 77h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120DA2 second address: 5120DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCC1D4AF17Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110BC5 second address: 5110C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FCC1D4AC75Dh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push edi 0x00000012 mov ecx, 7E05BCAFh 0x00000017 pop eax 0x00000018 call 00007FCC1D4AC765h 0x0000001d pushfd 0x0000001e jmp 00007FCC1D4AC760h 0x00000023 or esi, 3743B708h 0x00000029 jmp 00007FCC1D4AC75Bh 0x0000002e popfd 0x0000002f pop esi 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C27 second address: 5110C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110C37 second address: 5110C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 and esi, 0D0BDB86h 0x0000001b jmp 00007FCC1D4AC761h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150971 second address: 5150975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150975 second address: 515097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515097B second address: 515098C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515098C second address: 5150990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150990 second address: 51509B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCC1D4AF188h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51509B3 second address: 51509B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0096 second address: 50F00AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 jmp 00007FCC1D4AF17Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00AE second address: 50F00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 call 00007FCC1D4AC768h 0x0000000a mov ecx, 4E9B3A81h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FCC1D4AC75Ch 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov al, D0h 0x0000001b movsx edx, cx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCC1D4AC761h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F00FC second address: 50F0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0101 second address: 50F016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 2535A9E6h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+04h] 0x0000001c jmp 00007FCC1D4AC75Eh 0x00000021 push dword ptr [ebp+0Ch] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, di 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AC769h 0x00000030 jmp 00007FCC1D4AC75Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51105FB second address: 5110610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110610 second address: 5110630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCC1D4AC75Bh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110630 second address: 5110636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110636 second address: 511063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511063C second address: 5110640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110640 second address: 5110644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110521 second address: 5110538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF183h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110538 second address: 511054D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, 38B1h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov esi, 715767B3h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511054D second address: 511056F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FCC1D4AF182h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511056F second address: 5110573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110573 second address: 5110579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110579 second address: 511058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1C7CD301h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 511058E second address: 5110592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5110592 second address: 5110598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51102A0 second address: 5110334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AF187h 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FCC1D4AF17Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF182h 0x0000001e sbb cl, FFFFFF88h 0x00000021 jmp 00007FCC1D4AF17Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FCC1D4AF188h 0x0000002d or eax, 755E2AE8h 0x00000033 jmp 00007FCC1D4AF17Bh 0x00000038 popfd 0x00000039 popad 0x0000003a movzx ecx, dx 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FCC1D4AF17Eh 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508DF second address: 51508EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51508EE second address: 51508F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130034 second address: 5130067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FCC1D4AC75Fh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCC1D4AC765h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5130067 second address: 513006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513006D second address: 513008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC762h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 513008C second address: 51300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007FCC1D4AF186h 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 jmp 00007FCC1D4AF180h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FCC1D4AF17Dh 0x00000024 and esi, 287FE656h 0x0000002a jmp 00007FCC1D4AF181h 0x0000002f popfd 0x00000030 mov cx, C3C7h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C47 second address: 5120C5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7D0Ah 0x00000007 movsx ebx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C5B second address: 5120C61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C61 second address: 5120C8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Ch 0x00000009 xor eax, 48CC8DF8h 0x0000000f jmp 00007FCC1D4AC75Bh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C8F second address: 5120C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C93 second address: 5120C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C97 second address: 5120C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120C9D second address: 5120CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC764h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5120CB5 second address: 5120CF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov esi, 764A511Bh 0x00000012 mov esi, 1032E3F7h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCC1D4AF189h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515000F second address: 515006D instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC767h 0x0000000c adc si, 57DEh 0x00000011 jmp 00007FCC1D4AC769h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FCC1D4AC75Eh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Eh 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515006D second address: 51500AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c jmp 00007FCC1D4AF185h 0x00000011 mov ecx, 614E1667h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCC1D4AF184h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500AE second address: 51500B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500B4 second address: 51500BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500BA second address: 51500C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500C9 second address: 51500CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51500CF second address: 515012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCC1D4AC766h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FCC1D4AC75Ch 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AC75Eh 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e mov eax, dword ptr [774365FCh] 0x00000023 jmp 00007FCC1D4AC75Ch 0x00000028 test eax, eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCC1D4AC75Ah 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515012F second address: 515013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515013E second address: 5150168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F70FF61h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150168 second address: 515016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515016E second address: 5150172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150172 second address: 5150176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150176 second address: 51501E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e mov bx, E116h 0x00000012 popad 0x00000013 xor eax, dword ptr [ebp+08h] 0x00000016 pushad 0x00000017 mov bl, al 0x00000019 jmp 00007FCC1D4AC765h 0x0000001e popad 0x0000001f and ecx, 1Fh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC763h 0x0000002b xor si, 22FEh 0x00000030 jmp 00007FCC1D4AC769h 0x00000035 popfd 0x00000036 push esi 0x00000037 pop edx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51501E1 second address: 5150232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FCC1D4AF17Eh 0x00000010 leave 0x00000011 jmp 00007FCC1D4AF180h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a mov esi, eax 0x0000001c lea eax, dword ptr [ebp-08h] 0x0000001f xor esi, dword ptr [00E94014h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 lea eax, dword ptr [ebp-10h] 0x0000002b push eax 0x0000002c call 00007FCC217ADC3Ch 0x00000031 push FFFFFFFEh 0x00000033 pushad 0x00000034 mov dh, ah 0x00000036 push edi 0x00000037 pop ebx 0x00000038 popad 0x00000039 pop eax 0x0000003a pushad 0x0000003b pushad 0x0000003c mov cx, 17FFh 0x00000040 push ecx 0x00000041 pop edx 0x00000042 popad 0x00000043 popad 0x00000044 ret 0x00000045 nop 0x00000046 push eax 0x00000047 call 00007FCC217ADC49h 0x0000004c mov edi, edi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150232 second address: 5150238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150238 second address: 5150257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, bl 0x0000000f mov bl, ah 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5150257 second address: 515028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 or cx, 2B78h 0x0000000e jmp 00007FCC1D4AC75Bh 0x00000013 popfd 0x00000014 mov eax, 343EB2AFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop edi 0x00000022 movzx eax, dx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 515028C second address: 5150302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCC1D4AF182h 0x00000009 xor ecx, 57AD5508h 0x0000000f jmp 00007FCC1D4AF17Bh 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FCC1D4AF182h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCC1D4AF17Dh 0x0000002a pushfd 0x0000002b jmp 00007FCC1D4AF180h 0x00000030 sub esi, 38C349C8h 0x00000036 jmp 00007FCC1D4AF17Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100074 second address: 5100079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100079 second address: 51000BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AF17Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ecx 0x0000000f jmp 00007FCC1D4AF17Eh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 mov dx, 1EC0h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCC1D4AF185h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000BD second address: 51000E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCC1D4AC75Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E2 second address: 51000E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51000E9 second address: 5100153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e push edx 0x0000000f mov ebx, esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push ebp 0x00000014 jmp 00007FCC1D4AC766h 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 jmp 00007FCC1D4AC764h 0x00000028 xchg eax, edi 0x00000029 jmp 00007FCC1D4AC760h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCC1D4AC75Eh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100153 second address: 5100159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100159 second address: 510015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510015D second address: 51001A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FCC1D4AF17Eh 0x00000011 test esi, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FCC1D4AF17Dh 0x0000001b call 00007FCC1D4AF180h 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A3 second address: 51001A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001A9 second address: 51001AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001AD second address: 51001CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FCC8F75ABAEh 0x00000011 pushad 0x00000012 mov di, cx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51001CB second address: 510021B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e jmp 00007FCC1D4AF180h 0x00000013 je 00007FCC8F75D5B8h 0x00000019 pushad 0x0000001a mov esi, 7CEC20DDh 0x0000001f mov ecx, 018EEDD9h 0x00000024 popad 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 jmp 00007FCC1D4AF184h 0x0000002d or edx, dword ptr [ebp+0Ch] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510021B second address: 5100238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100238 second address: 5100259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100259 second address: 510025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510025D second address: 5100270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100270 second address: 510029F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ADCAh 0x00000007 jmp 00007FCC1D4AC75Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FCC8F75AB59h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AC760h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510029F second address: 51002AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0819 second address: 50F081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F081D second address: 50F0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0821 second address: 50F0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0827 second address: 50F082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F082D second address: 50F0858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007FCC1D4AC75Eh 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0858 second address: 50F085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F085C second address: 50F0862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0862 second address: 50F0868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0868 second address: 50F086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F086C second address: 50F089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCC1D4AF17Eh 0x00000012 and ax, 7058h 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c popfd 0x0000001d mov di, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F089C second address: 50F08A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F08A2 second address: 50F08A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09D0 second address: 50F09F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 je 00007FCC8F7620FCh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, eax 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F09F3 second address: 50F0A34 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, dl 0x00000008 popad 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FCC1D4AF186h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCC1D4AF187h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0A34 second address: 50F0AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC8F7620A8h 0x0000000f pushad 0x00000010 call 00007FCC1D4AC75Ch 0x00000015 pushfd 0x00000016 jmp 00007FCC1D4AC762h 0x0000001b add ah, 00000068h 0x0000001e jmp 00007FCC1D4AC75Bh 0x00000023 popfd 0x00000024 pop esi 0x00000025 pushfd 0x00000026 jmp 00007FCC1D4AC769h 0x0000002b or ax, C886h 0x00000030 jmp 00007FCC1D4AC761h 0x00000035 popfd 0x00000036 popad 0x00000037 test byte ptr [77436968h], 00000002h 0x0000003e jmp 00007FCC1D4AC75Eh 0x00000043 jne 00007FCC8F76203Eh 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FCC1D4AC767h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AED second address: 50F0AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF3 second address: 50F0AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0AF7 second address: 50F0B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov ax, 771Bh 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FCC1D4AF17Fh 0x0000001e and al, 0000007Eh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 mov cx, BCC7h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B47 second address: 50F0B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0B4D second address: 50F0BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007FCC1D4AF186h 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 mov cx, AD6Dh 0x00000019 movzx ecx, bx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FCC1D4AF184h 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FCC1D4AF180h 0x00000029 push dword ptr [ebp+14h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BB4 second address: 50F0BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BD1 second address: 50F0BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BE1 second address: 50F0BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0BFB second address: 50F0C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C2B second address: 50F0C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C31 second address: 50F0C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF17Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF17Ch 0x00000013 sub ax, EE18h 0x00000018 jmp 00007FCC1D4AF17Bh 0x0000001d popfd 0x0000001e call 00007FCC1D4AF188h 0x00000023 mov bx, si 0x00000026 pop eax 0x00000027 popad 0x00000028 mov esp, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FCC1D4AF188h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0C9D second address: 50F0CA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50F0CA6 second address: 50F0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bh, al 0x0000000d pushfd 0x0000000e jmp 00007FCC1D4AF187h 0x00000013 sbb ax, CA4Eh 0x00000018 jmp 00007FCC1D4AF189h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056522 second address: 105652C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056713 second address: 1056717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 1056717 second address: 1056758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FCC1D4AC763h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FCC1D4AC768h 0x00000019 jp 00007FCC1D4AC756h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BCA second address: 5100BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD0 second address: 5100BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100BD4 second address: 5100C2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov cx, B749h 0x0000000f call 00007FCC1D4AF186h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007FCC1D4AF17Bh 0x0000001c add ax, 35AEh 0x00000021 jmp 00007FCC1D4AF189h 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C2E second address: 5100C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C32 second address: 5100C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100C38 second address: 5100C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC75Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCC1D4AC767h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 510085A second address: 5100874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 jmp 00007FCC1D4AF17Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5100874 second address: 51008A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC768h 0x00000009 popad 0x0000000a mov ch, 52h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FCC1D4AC75Ch 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008A7 second address: 51008AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008AE second address: 51008E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov si, 0593h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FCC1D4AC766h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007FCC1D4AC75Dh 0x0000001d pop ecx 0x0000001e mov ecx, edx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008E8 second address: 51008EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51008EE second address: 51008F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 518071B second address: 5180720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5180720 second address: 518075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 pushfd 0x00000007 jmp 00007FCC1D4AC765h 0x0000000c xor si, B746h 0x00000011 jmp 00007FCC1D4AC761h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov di, 55CEh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708EF second address: 51708F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F3 second address: 51708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708F9 second address: 51708FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708FF second address: 5170903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170903 second address: 5170907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170907 second address: 5170917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, dx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170917 second address: 517092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCC1D4AF17Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 517092C second address: 517093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AC75Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170844 second address: 5170849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170849 second address: 51708A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCC1D4AC75Dh 0x0000000a or esi, 0C1DA566h 0x00000010 jmp 00007FCC1D4AC761h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FCC1D4AC75Ch 0x00000022 sbb ax, 1D08h 0x00000027 jmp 00007FCC1D4AC75Bh 0x0000002c popfd 0x0000002d mov ax, C77Fh 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A3 second address: 51708A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708A7 second address: 51708AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708AD second address: 51708B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 51708B3 second address: 51708B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170AEC second address: 5170B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AF17Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Ch 0x00000019 sub ah, 00000068h 0x0000001c jmp 00007FCC1D4AF17Bh 0x00000021 popfd 0x00000022 jmp 00007FCC1D4AF188h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B51 second address: 5170B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCC1D4AC766h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ebx, eax 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, di 0x00000022 call 00007FCC1D4AC763h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170B9F second address: 5170BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BA5 second address: 5170BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC760h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f push esi 0x00000010 mov si, dx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push 8C89E878h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD0 second address: 5170BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BD4 second address: 5170BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170BDA second address: 5170C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AF184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 7377178Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCC1D4AF17Dh 0x00000019 adc ch, 00000066h 0x0000001c jmp 00007FCC1D4AF181h 0x00000021 popfd 0x00000022 mov ah, DEh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170C5D second address: 5170CA4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCC1D4AC75Ah 0x00000008 adc al, FFFFFF98h 0x0000000b jmp 00007FCC1D4AC75Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 movzx eax, al 0x00000017 jmp 00007FCC1D4AC766h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AC75Ah 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5170CA4 second address: 5170CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F47A second address: 13F495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCC1D4AC75Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 13F495 second address: 13F499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C050F second address: 2C052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCC1D4AC762h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C052C second address: 2C0539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C0539 second address: 2C053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C053E second address: 2C054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCC1D4AF17Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C054C second address: 2C055B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC75Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF56D second address: 2BF5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FCC1D4AF176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCC1D4AF17Dh 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 jmp 00007FCC1D4AF17Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCC1D4AF183h 0x00000026 jmp 00007FCC1D4AF189h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BF9E7 second address: 2BFA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCC1D4AC756h 0x0000000a popad 0x0000000b jng 00007FCC1D4AC758h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA00 second address: 2BFA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCC1D4AF176h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA0A second address: 2BFA23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FCC1D4AC756h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFA23 second address: 2BFA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2BFBBC second address: 2BFBC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AA second address: 2C32AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32AE second address: 2C32F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCC1D4AC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jnl 00007FCC1D4AC768h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ecx 0x00000017 jmp 00007FCC1D4AC75Bh 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FCC1D4AC75Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C32F9 second address: 2C3308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3308 second address: 2C330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C330D second address: 2C336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCC1D4AF186h 0x00000008 jnl 00007FCC1D4AF176h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FCC1D4AF17Bh 0x00000017 js 00007FCC1D4AF17Bh 0x0000001d mov esi, 7172AA25h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 or cl, FFFFFFA3h 0x00000029 push 00000003h 0x0000002b mov dl, 8Fh 0x0000002d call 00007FCC1D4AF179h 0x00000032 jmp 00007FCC1D4AF17Ch 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C336D second address: 2C3392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCC1D4AC769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3392 second address: 2C3398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3398 second address: 2C33BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007FCC1D4AC767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C33BC second address: 2C3410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c jmp 00007FCC1D4AF183h 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 cmc 0x00000014 movzx esi, bx 0x00000017 lea ebx, dword ptr [ebp+12458141h] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FCC1D4AF178h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 or dword ptr [ebp+122D2ACBh], ebx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3410 second address: 2C3416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C3416 second address: 2C341B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C341B second address: 2C342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FCC1D4AC756h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	RDTSC instruction interceptor: First address: 2C345F second address: 2C34B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCC1D4AF176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCC1D4AF178h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ecx, bx 0x0000002b push 00000000h 0x0000002d adc di, A334h 0x00000032 call 00007FCC1D4AF179h 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCC1D4AF17Ah 0x0000003f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: E9C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 106E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 10D7A29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13ECA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 13C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 30E7CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 377A29 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246C2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 246DA5F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 6F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 7F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 94C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 77C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AA00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DFF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AB00000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Window / User API: threadDelayed 2948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 991
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 919
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 977
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1034
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1096
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 852
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1059
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1092
Source: C:\Users\user\1000021002\2c9ff67496.exe	Window / User API: threadDelayed 773
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 4297
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Window / User API: threadDelayed 4143
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 637
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 732

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-46082

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\o70oR4A1odPm6ZpEPmcUY0kf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VOC2vgozeooRPwe4xNfnekbg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Ud8P6u9zcQkOThPmdNJauqRX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XBajRwldCSS42gwh4zu9f3ce.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p7KXtY1OslUIeP9Ce7HA7pcJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ArokRzfYMxWDCVlcYzlFE2Lj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ar5KINQCCayk0Kw6DN1FAVFx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qXzqKXhtyyRVQ12sGB23FDz0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iiEhcrEC7kfTSvcQ2xPEqYzR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WIZZw2jIWtghnINz7Bolcg6s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\h9zNDFfiMy6YEXVQdIbIdOv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GcbucsdsAk7dv2EzyRdhbByI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\R7igej85hEl8p5QzHqqsVcc4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\k4a17b3U4KeqWyuMzrdWzqyt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\joRzh0eN9ubjpRYMOMHaTsYl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zQeTuw5vxgdbKmiVRBeW6SUZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vG3D68E3KVPIYrQEMWMU27tl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zqrjs0OTmaC5sGR5VDn5k391.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vQkPzCCvFzBxzLEPKtUXhb4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\27xttgdEmHmLdE1NNbjDPunl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WmwQPTarASP4EtQ3MAZKQqLX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4ebcbWCvvuWPOCPYovXXMriV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\US6SMVSChPuNg0C79rqEySgv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Nx2ualF4WR83o8BLpmD9zVrW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\9DP8FgphO9xB4vzM75llXw4b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fW9mvrDIULE1qzTuYb8DunLu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0FhI3ymKwyu4YKH0P5aiSwr9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAw5Utgp8P611rdec0BR0MlI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7mRVtPlrMfZmo26ldo406lmd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kivxs7Zej5QjZRx4S943Y5EA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Yv6kDvOTN4rtEsFYOeCJZShm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FMABIYNaDvdpX82vGnLOftDu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OjMaXQfausZW7L4bZ74RhT97.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zy6qmavCIexKIuB9nNrNHs9p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jDKkqPCmIoUaiq9LrPYuCKQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NXXoMKuzuftWWcaGwWfRizTp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TexEUOb49XCfEjOcQuxS4LdR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DqApJooverXr18YkrozyIUpZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\F5nHoJjiPsXq9PqBPnN3uVb5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qiW5UZkXzhMJ8qrVDgrcAGm1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ARFJvysANOCKBRK3eId7VsQB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aR1aAXIrzQtExVh9FbdfoBrR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lI1wLYD1b5s5Qo04Ewg0WqV1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xFvJiGaaRqrUdwrQth3PHHC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NAo5jaAAmqipcIgVfrpEqrOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fRiNFTEVJnpONJofzyWKlqwW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gsF9GZceaIYWveF9Wn0mXwbt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6lvatP6Q76Lt1uvfZT2GD6HY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Loo9WoJBx4a6RLa9vZq7467f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UrMKiBsPUmHBdjATiF2xGFWW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5Xza309AWSsKZ7QtcoKLlH6j.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xYhK2iEXeksXlPa9BMLXm5tE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\D8TGVGr0asGkgU3ycSpOmYcn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Yg9IAPVdFD93gbLGPdcvbgw2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Y0ZKJ4dRBRkIRESl8nT570lZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\enEog6vYdNgmFKOyGbVQTrXc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\91wCUE8aqMgtssmXq8JjQEVt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OFqYXukHEjQzmQ3ijziOsyC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Czc5fung6FsMhCVG7EMYaiqO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ELbDrf9qIHQaBWPxuiJjUCoM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\f3qMySWuesp6iqsnQUyX8UG1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VUhKLgvybQx21ilX50E3IN7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v4pPJZm6TK3eJidyD0YTpSI8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cqEYVGnsRBmElwXA0pViDIv4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\nw6IIdZQfEhqp8k6unIrj2qH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\N14E2wCpaY7ufVWw1V4rquym.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\w73g23dHAf0dTWCMUXFqmd74.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dLosfqkp920zMbaetcnvwrJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\z2u4DwiwBezR2xi11GPVbROw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ybCY5oONgBmPsQ2TsLXObZGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\aAFMFn8XgxK4ax5TQ7f1st28.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bVARrzkwQmnP1mnoffZ1HExy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WllNfMrTNMJ4E1bpkfOuURJc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\O8qlhpLK7TtBYe0J94Fm1B86.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PbrRyuOT2DJaFlbAzGY6neq7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VRZS2eg6KpyehTgltwjCKDt4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J6EKnVYc7FheOARgvJ4DtZho.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RbvLNaGRBEsayaSXnP4Zo5B2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JkJexXpPrIyNVfwGJRUJua9O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZFNbxiSI6dIgrSto9a3Z7jlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\YdDMLcotJvPaOVEHpalanl1d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tRGz8YUeJOvAWwmplTaCNv1T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TwRm9Z0OjBAq1e9wDGeHmdCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bU6cqro2wPcmClLzDGRpxfw1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3OywHIBuj0AIQ7Aq3CE27htS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pTXFwTPyWVPZ4sTiGkA8a5ei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GFV2yyE0PpJkpGdl2N1D7Pr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kqcWDzUDzGODoV7JWmwBlZRR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Tn3AK9zqC5GmoiH5iA9IY9Q6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v7Li9n9DDXtQeZJRorH86P5g.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hQa9fYPzQBrGD6byFRloLN5U.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gpxXZca2LPxp8nx3YxfAq52Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vwsgN3REbITHxJG5vlKYY3Vx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fybzTZ3WiLAPEZj0fVOx3M0F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7QngCiEI0nWQ5NI3rtCate4r.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\install[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eNB1RX0hn7cF5yIvRdwV0Sdv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yNQkYyPgov8fX5k7nVDGzk6w.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nRXc5v7fBpZ3Rt6WXas92N9q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0rCtm6Hv5UQtXJOFVlEJjcOA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bsl30mcD1mRV5YLU9isxcsMk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\UnZ9xXtOVzbDDdfuNC2Trxtk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Te8IoKHiu7i6R94P1wuixO8g.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZA6xyNAEYiDprMq2qgywyku5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\TEpqQjIAfTfCTbePKUGsV0Gk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uU9N3wILYLaLsdrVTU78EpKz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_7-46851

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep count: 2948 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -88440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2132	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6324	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 2524	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 5232	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep count: 991 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3328	Thread sleep time: -1982991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep count: 919 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4180	Thread sleep time: -1838919s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep count: 977 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3320	Thread sleep time: -1954977s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 884	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 3160	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep count: 1034 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5560	Thread sleep time: -2069034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep count: 1096 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 420	Thread sleep time: -2193096s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7280	Thread sleep time: -2160000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep count: 852 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2644	Thread sleep time: -1704852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep count: 1059 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2720	Thread sleep time: -2119059s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep count: 1092 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2224	Thread sleep time: -2185092s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 76 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7664	Thread sleep count: 55 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2260	Thread sleep count: 66 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 155 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 67 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292	Thread sleep count: 58 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7812	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep count: 4297 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7976	Thread sleep time: -4297000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 16708	Thread sleep time: -45000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 104 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 4396	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe TID: 8104	Thread sleep count: 77 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe TID: 644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7576	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 110 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8432	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 52 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep count: 42 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7532	Thread sleep count: 732 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599665s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -599086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8052	Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -598000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -597532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -596391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595943s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -595032s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -594407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -593344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -592079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -591585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -590313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -589150s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588679s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -588206s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -584064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -583315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582569s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -582066s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -581187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -580173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -579252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -577283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -576048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -574283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -573283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -572204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -564345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -560846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -559627s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -558064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -557424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -556814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555877s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -555049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -554471s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -552846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -551188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -549303s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -548722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -547329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -546045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -545048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -544408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -543236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -542251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -541751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -540079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -539658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -538345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -537392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -536564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -535048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -534126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533392s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -533142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -532408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -531173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -530017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -529236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528759s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -528361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527923s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -527080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -526236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525330s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -525017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -524173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -523220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522376s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -522033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -520814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519788s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -519189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -518368s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517705s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517361s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -517014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -516251s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -515080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -514095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -513595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -512142s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -511017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -510008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -509126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -508298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -507033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -506343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -505908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -504439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -503205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -502548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -501267s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -499158s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -498727s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -497095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -496595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -495001s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -494455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -493533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -492236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -491189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490673s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490329s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -490109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -489670s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488720s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -488298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -487908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -486642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -484626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -482439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -480626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -478642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -477908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -476298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -475220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -474501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473861s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -473314s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -472848s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -470533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -469017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -468283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -466986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -463876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -462830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -458970s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -457345s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -456173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -455080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -454048s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -453283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -452189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -451064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -450455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -449411s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448626s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -448095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447811s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -447439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446814s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -446220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445783s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -445189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_002466F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	7_2_002466F0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0023FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	7_2_001F3EC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00191F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00191F9C
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00225F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_00225F80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00192022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_00192022
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	7_2_001F3850

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 592079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 591585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 582066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 580173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 577283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 572204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 557424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 556814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 555049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 551188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 547329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 546045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 545048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 541751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 540079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 536564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 535048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 534126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 533142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 532408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 531173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 529236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 526236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 525017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 522033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 520814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 519189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 504439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 498727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 497095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 496595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 495001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 491189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 480626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473861
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 469017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MPGPH131.exe, 00000014.00000003.2820152073.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2820638469.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819486328.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127253259.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2819877346.0000000005C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADM
Source: MPGPH131.exe, 00000013.00000003.2843661605.0000000006035000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUuj
Source: RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2*
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nteractive Brokers - HKVMware20,11696487552]
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000021.00000002.3117284660.00000000010C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8i
Source: RegAsm.exe, 0000002F.00000002.2455354430.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\9ac011e0-5a83-469e-a698-55282c006efc.tmp
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: aea7caadbf.exe, 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ks
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: netsh.exe, 0000001B.00000003.2305479100.0000022A9AC75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Source: RageMP131.exe, 00000030.00000002.3131365441.0000000001080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000013.00000002.2957184812.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A9uNEl
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8A I
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nara Change Transaction PasswordVMware20,11696487552^
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@]m
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\| UE
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 00000014.00000003.2290450601.0000000001447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: aea7caadbf.exe, 00000021.00000003.2806627544.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02Ohsoxy
Source: RageMP131.exe, 00000030.00000002.3131365441.000000000108C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Temp\5567ef92-dbe9-4ad2-9045-8f930e3d7ed6.tmp
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: explorta.exe, 0000002C.00000002.2755047302.0000000001868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__q
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0m
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: jok.exe, 00000020.00000002.4626441113.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: aea7caadbf.exe, 00000007.00000003.2846166620.00000000058AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000al\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsL,
Source: MPGPH131.exe, 00000013.00000003.2844575612.000000000602B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-1028231-15-52,P-X-1087217-10-23,P-X-1110552-2-3,P-X-1108288-1-7,P-X-1100779-2-7,P-X-1092122-2-9,P-X-1096650-2-6,P-X-1105131-2-6,P-X-1097232-7-13,P-X-1104872-1-9,P-X-1103964-2-3,P-X-1099080-1-9,P-X-1089758-2-11,P-X-1102990-2-3,P-X-1102008-2-7,P-X-1063575-3-11,P-X-1102153-2-4,P-X-1071006-1-5,P-X-1100769-1-3,P-X-1099659-1-3,P-X-1095668-2-7,P-X-1097226-1-5,P-X-1083898-4-17,P-X-1095524-1-3,P-X-1063514-2-6,P-X-1094047-1-6,P-X-1092821-2-3,P-X-1092738-2-3,P-X-1092158-1-3,P-X-1068889-5-13,P-X-1086546-21-84,P-X-1091091-2-4,P-X-1089774-2-7,P-X-1089256-2-5,P-X-1089119-2-6,P-X-1013679-2-5,P-X-1087661-2-6,P-X-1085156-1-3,P-X-1082985-5-11,P-X-1082074-3-7,P-X-1047521-4-21,P-X-1080712-1-5,P-X-1079473-2-6,P-X-1048662-1-13,P-X-1077532-1-5,P-X-1077147-1-9,P-X-1056699-36-118,P-X-1067018-2-4,P-X-1043380-1-18,P-X-1071593-2-4,P-X-1070560-4-8,P-X-1070133-1-6,P-X-1070026-3-7,P-X-1056537-1-9,P-X-1067718-1-3,P-X-1066229-1-7,P-X-1050101-1-9,P-X-1061902-3-17,P-X-1053062-1-5,P-X-1058142-1-7,P-X-1059966-1-9,P-X-1052772-23-44,P-X-1043219-25-50,P-X-1054089-1-3,P-X-1052254-4-10,P-X-1021723-3-16,P-X-1048870-3-8,P-X-1048071-1-5,P-X-1047513-1-5,P-X-1026324-3-20,P-X-1010579-1-9,P-X-1008556-23-99,P-X-1037615-1-7,P-X-1006190-9-15,P-X-1036081-1-3,P-X-1027402-7-15,P-X-1020537-2-6,P-X-1012411-2-9,P-X-100876-37-228,P-X-117040-1-5,P-X-113035-2-9,P-X-97954-9-89,P-X-91270-7-51,P-R-1089873-14-4,P-R-1080087-6-13,P-R-1075857-18-21,P-R-1068861-4-10,P-R-1047495-8-15,P-R-1044077-26-18,P-R-1008497-12-13,P-R-87486-2-16,P-R-86300-4-56,P-R-83096-12-34,P-R-67067-6-47,gb1ee141:447804,3j0gg466:431877,resetbing:447060,c1i80862:426410,wponsat2_50:441048,jj2e6986:422781,995h3546:443806,9djb2419:437170,bfcg7827:432826,t9qranimationemailautofill:439591,70030996:441561,ebd3g171:445684,tp-long:439700,b01ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,bingchatqueries_5_impression_with_redirect_urls:403574,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h1eh131:441212,e92c6808:416905,10ad8400:434605,9d4ca945:415901,identifydb:415105,walletpswlinkupdate:438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254cf:256436,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2822300520.0000000005A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}collectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491","EdgeConfig":"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,P-R-110491-23-70,P-R-68474-9-12,P-R-61206-14-17,P-R-61153-10-15,P-R-45373-8-85,P-R-46265-41-100","EdgeDomainActions":"P-R-1093245-1-12,P-R-1037936-1-9,P-R-1024693-1-9,P-R-108604-1-34,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-463,P-D-1138318-1-3,P-D-98331-6-31","EdgeFirstRun":"P-R-1103650-18-8,P-R-1021718-2-31,P-R-116827-1-15","EdgeFirstRunConfig":"P-R-1075865-1-7","Segmentation":"P-R-1113915-25-8,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-1-3,P-R-42744-1-2"}96-12-34,P
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp, explorta.exe, 00000002.00000002.4589350907.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.000000000108B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVCh
Source: RageMP131.exe, 00000030.00000003.2463397355.0000000001092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RageMP131.exe, 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Microsoft\Windows\Explorer\thumbcache_256.db{
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENTy
Source: aea7caadbf.exe, 00000007.00000003.2842683229.00000000059F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MPGPH131.exe, 00000014.00000002.3124637144.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4D80BF8Aec
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: aea7caadbf.exe, 00000021.00000003.2808145085.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsu
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MPGPH131.exe, 00000014.00000002.3124637144.0000000001435000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&}
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log
Source: MPGPH131.exe, 00000013.00000002.2953499946.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&1
Source: aea7caadbf.exe, 00000007.00000003.2831123140.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552\| UE
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000029.00000002.3096645849.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdY
Source: MPGPH131.exe, 00000013.00000002.2953499946.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Local\Google\Chrome\User Data\Default\Visited Links
Source: file300un.exe, 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: jok.exe, 00000020.00000002.4971718774.00000000061F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4106241586.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2c9ff67496.exe, 0000000B.00000003.3969608174.00000000038D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aea7caadbf.exe, 00000021.00000002.3117284660.0000000001104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.log}'"*
Source: aea7caadbf.exe, 00000021.00000002.3118681563.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}XNTV0SCJuN1GCyDeTsccFPeu9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mL
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: amert.exe, 00000006.00000003.2192470141.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*h
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\Default\Local Storage\leveldb\000003.logxh
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RageMP131.exe, 00000030.00000003.2821833886.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aea7caadbf.exe, 00000007.00000003.2675850557.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: jok.exe, 00000020.00000002.4795957308.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 6_2_05170B9D rdtsc

6_2_05170B9D

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0100628E

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01005D0B mov eax, dword ptr fs:[00000030h]	2_2_01005D0B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_01009A72 mov eax, dword ptr fs:[00000030h]	2_2_01009A72
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00226D00 mov eax, dword ptr fs:[00000030h]	7_2_00226D00
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_001F3EC0 mov eax, dword ptr fs:[00000030h]	7_2_001F3EC0

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Code function: 7_2_002499F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

7_2_002499F0

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_00FEC9CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00FEC9CC
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Code function: 2_2_0100628E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0100628E
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_0019451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0019451D
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: 7_2_00198A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00198A64

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: swiy[1].exe.8.dr, Angelo.cs	Reference to suspicious API methods: Program.CreateRemoteThread(uint.MaxValue, 0u, 0u, ref Eugene.SuperBook[num], RemoteObjects.userBuffer, 0, ref WPA)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6A70 std::_Xinvalid_argument,GetModuleFileNameA,CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

2_2_00FD6A70

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0022F200

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 00000016.00000002.2638210902.0000000004045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: boredimperissvieos.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: holicisticscrarws.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: sweetsquarediaslw.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: plaintediousidowsko.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: miniaturefinerninewjs.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: zippyfinickysofwps.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: obsceneclassyjuwks.shop
Source: gold.exe, 0000002D.00000002.2412290927.000000000066D000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: acceptabledcooeprs.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FC5008
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1133008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AF9008
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 457000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11CF008

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6E30 ShellExecuteA,Sleep,Sleep,__Init_thread_footer,CreateThread,Sleep,

2_2_00FD6E30

Source: C:\Users\user\Desktop\fjL0EcgV6Y.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe "C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\2c9ff67496.exe "C:\Users\user\1000021002\2c9ff67496.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\2c9ff67496.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown

Source: 2c9ff67496.exe, 0000000B.00000000.2237972193.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 2c9ff67496.exe.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: amert.exe, amert.exe, 00000006.00000002.2239077402.000000000102A000.00000040.00000001.01000000.00000009.sdmp, explorha.exe, 00000008.00000002.4578788023.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp, explorha.exe, 00000009.00000002.2286142731.00000000002CA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FECBC7 cpuid

2_2_00FECBC7

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	7_2_0023FE80
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001AB1B1
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B31CA
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_001B32F3
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B33F9
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B34CF
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001AB734
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_001B2B5A
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,	7_2_001B2D5F
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E06
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2E51
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: EnumSystemLocalesW,	7_2_001B2EEC
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_001B2F77

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\2c9ff67496.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\MXPXCVPDVN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\UOOJJOZIRH.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\VAMYDFPUND.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_0100ABF2 GetSystemTimeAsFileTime,

2_2_0100ABF2

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD6160 GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

2_2_00FD6160

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

7_2_0023FE80

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

Code function: 2_2_00FD78B0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

2_2_00FD78B0

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Source: RegAsm.exe, 00000019.00000002.2403342364.000000000147D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.rundll32.exe.6be60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.amert.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorha.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.7ffd84eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fjL0EcgV6Y.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.explorta.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2426954025.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2083851627.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2102606370.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4574731193.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2407964114.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4581588871.00007FFD84FAD000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4573587455.0000000000FD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4578583730.000000006BE61000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2238783489.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239011126.0000000000E31000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2064758030.0000000003380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2245209175.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2177043340.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2084843739.0000000001DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2285975252.00000000000D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2091875914.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aea7caadbf.exe, 00000007.00000002.3093234156.000000000110F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RegAsm.exe, 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: aea7caadbf.exe, 00000007.00000002.3093234156.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco,>
Source: RegAsm.exe, 00000019.00000002.2402362277.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletA%appdata%\Exodus\exodus.walletAkeystoreD
Source: aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Source: RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\mUrODvZDsuNRBdTcXkdXtpnWOFAIBXFrVuRmIBrAF\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000020001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\1000021002\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\ProgramData\MPGPH131\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000066001\.purple\accounts.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND

Source: Yara match	File source: 00000007.00000002.3093234156.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118907177.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3139553145.000000000654A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000019.00000002.2402948638.000000000141B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7772, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.jok.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000007.00000002.3093234156.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.0000000005A06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3134429233.00000000059F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3118681563.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3127044186.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 5424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aea7caadbf.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FBI40obsDIWEYEPEV328oLc.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CaDLjLgaJOb2EJDbtX6Wfco.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bz4iHvznQtQ52p38FhmsRD6.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VuTSwQVdPxyUu9EXsE6w3ql.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000029.00000002.3096645849.000000000162A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.swiy.exe.3f65570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3009103992.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3544, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	221 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	31 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	512 Process Injection	3 Obfuscated Files or Information	1 Credentials in Registry	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 Install Root Certificate	1 Credentials In Files	349 System Information Discovery	Distributed Component Object Model	1 Email Collection	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	121 Registry Run Keys / Startup Folder	13 Software Packing	LSA Secrets	1 Query Registry	SSH	11 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1191 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	571 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	571 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	512 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
fjL0EcgV6Y.exe	55%	ReversingLabs	Win32.Trojan.Amadey
fjL0EcgV6Y.exe	100%	Avira	TR/Crypt.XPACK.Gen
fjL0EcgV6Y.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\1000021002\2c9ff67496.exe	100%	Avira	TR/AutoIt.mzmcv
C:\Users\user\1000021002\2c9ff67496.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3YZhMRbhtqchUxr6HrEmYWxb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4zlsKqSOTzijQzm8qevqChAD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\AdqitUVCSO3pnZ13PPMmTugt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\8sZNm50KnZ73Ir2IAGAzjiCM.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	47%	ReversingLabs	Win32.Trojan.RiseProStealer
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\1ZiD49yFoSPKKQmrglTINzlo.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\1llpE1der8s65YfF1DaRwzoA.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\29IA9rCjPmrMnnZQZ7YKNcOZ.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\2D21U1bRl2sEI2OnuIMYALNl.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\2MTLbmRYdCbpYlRWWULShPZa.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\3bvlPX7g5Zc6pp8TPpEM470u.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\4PmoraVG5R1jZgxSXUXnrPno.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\4WIaPCqUVwVYRafs2f1atHjf.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\4ptz7FM4kP7qMGFoFqE5j0zm.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\5N2KVotsup59l0rdMarxmZjH.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\604jEG5qQpdnhPVOdLS1sPeh.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\6xNdov8AZo7X4GIGr08JaGXe.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\87yah1hG3sRWG8d7DMFA6UPI.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\8gEIcaaLXjtHWMkCknRgnRyn.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\91UaPJ59dXTYhY2K658YFFeC.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\CS3gyNCBkgUy4GD82bQforlP.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\CZ8BPZs8awoPJiACUS73pAe6.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\CwwSkg4Z6r2CyUx7eieftoSL.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\D6PuoAsNvye4jtgG7lWCsXEx.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\EmEyDLXTX7wKV3Hm4GA8AbdZ.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\EqMO5smfp2bzSmy94pnHeeak.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\FsKEmkdvDCAc7VY3lRIiRKAL.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\GXqvrU2YdMIpdqoqkBIkuQ4a.exe	50%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\HUsiXwAPudopBX0gkG8zqZ9K.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\IGVPHrAShfg5S77hqubJkQGT.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\IwVIt8hVIPrEsgJdmcJDc0cp.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\J60VIKU1uGOij5ybpvmDPTRI.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\JfX04QeZvezkOn3eIpEjUqc5.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\KEohnm8N5FXDryvXGbq4vqXq.exe	79%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\KITnOquJmIbAAhc0DU20ke2n.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\KfIHlc6gAJQcL38Vr6ssqJ5m.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\KjpvJ8EHnBGQBp0fiOyr1f1m.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\LdBVJ0t5gC67YMsVTHQfk739.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\LmG3qDHSUq8w4Wsw1PGm8pPm.exe	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\LzRxHxBk5eAHgaCKyeZTvsuN.exe	47%	ReversingLabs	Win32.Ransomware.StopCrypt
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\alexxxxxxxx[1].exe	100%	ReversingLabs	Win32.Trojan.Emotet
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\file300un[1].exe	46%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewB[1].exe	91%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll	82%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\jok[1].exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sarra[1].exe	53%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe	88%	ReversingLabs	Win32.Trojan.Amadey

Name	Malicious	Antivirus Detection	Reputation
pillowbrocccolipe.shop	true
worryfillvolcawoi.shop	true
diskretainvigorousiw.shop	true
http://49.13.229.86/c73eed764cc59dcb.php	true
enthusiasimtitleow.shop	true

URLs from Memory and Binaries

Name	Source	Malicious
http://193.233.132.139/	explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.175/server/ww12/AppGate2103v01.exe4k	InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://49.13.229.86/3.229.86/c73eed764cc59dcb.php	RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	false
http://onlycitylink.com	InstallUtil.exe, 00000033.00000002.4166622967.0000000002E5D000.00000004.00000800.00020000.00000000.sdmp	false
https://ipinfo.io/widget/demo/156.146.37.102q	MPGPH131.exe, 00000014.00000003.2694069291.000000000145B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3124637144.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false
https://db-ip.com/demo/home.php?s=156.146.37.102=Eg	RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORTl	MPGPH131.exe, 00000013.00000002.2957184812.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORTh	aea7caadbf.exe, 00000021.00000002.3117284660.0000000001077000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/lend/alexxxxxxxx.exep	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://yip.su/redirect-	InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://t.me/risepro	MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2679315135.0000000001104000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpded	explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.139/sev56rkm/index.phpded:	explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.139/00021002	explorta.exe, 00000002.00000002.4589350907.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php00088001	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://49.13.229.86/c73eed764cc59dcb.phplKK	RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/mine/random.exe	explorta.exe, 00000002.00000002.4589350907.0000000001A73000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/	explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://49.13.229.86/84bad7132df89fd7/softokn3.dll	RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	false
https://api.ip.sb/ip	jok.exe, 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://jonathantwo.comH	InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false
https://affordcharmcropwo.shop/h	RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io/widget/demo/156.146.37.1020	aea7caadbf.exe, 00000021.00000002.3117284660.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/cost/lenin.exeUser	MPGPH131.exe, 00000013.00000002.2958708136.0000000006208000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.3127044186.0000000005C18000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.234/files/setup.exe4k	InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	aea7caadbf.exe, 00000007.00000003.2765136933.00000000058D6000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2824393145.00000000059FF000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000007.00000003.2777346909.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2785902773.0000000006038000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2789092396.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2780916684.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2775126903.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2758813887.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2772626604.0000000005C89000.00000004.00000020.00020000.00000000.sdmp, aea7caadbf.exe, 00000021.00000003.2798692847.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2776044480.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2785721259.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php8001	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
https://affordcharmcropwo.shop/v	RegAsm.exe, 00000019.00000002.2402948638.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/cost/lenin.exeater	RageMP131.exe, 00000030.00000003.2791013895.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2788181386.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2792650227.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
https://ipinfo.io/	RageMP131.exe, 00000030.00000002.3131365441.0000000001061000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789414202.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2796307180.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790307429.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000002.3131365441.00000000010A6000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/cost/lenin.exea.exeoin	RageMP131.exe, 00000030.00000002.3134911819.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php8w	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phps	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpm	rundll32.exe, 00000017.00000002.4575050800.000002161D690000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.234/files/loader-2841.exe4k	InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
https://t.me/risepro_botK	MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2694069291.000000000147B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.18	InstallUtil.exe, 00000033.00000002.4166622967.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phph	rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpe	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://147.45.47.102:57893/hera/amadka.exe	RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpd	rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://49.13.229.86/84bad7132df89fd7/vcruntime140.dllXN	RegAsm.exe, 00000029.00000002.3096645849.000000000166E000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php	rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/lend/gold.exe	explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	false
https://firstfirecar.com/980979aa037665b1a96df3348db08dc0/baf14778c246e15550645e30ba78ce1c.exe	InstallUtil.exe, 00000033.00000002.4166622967.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.234	InstallUtil.exe, 00000033.00000002.4166622967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false
https://yip.su	InstallUtil.exe, 00000033.00000002.4166622967.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php0	rundll32.exe, 0000001F.00000002.4576475219.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpUsers	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13Response	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/33.132.56/OneDrive	explorha.exe, 00000008.00000002.4621717301.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORTrJ	aea7caadbf.exe, 00000007.00000002.3094761202.0000000005890000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://ipinfo.io:443/widget/demo/156.146.37.102A	MPGPH131.exe, 00000013.00000002.2953499946.0000000001416000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.phpyu8	explorha.exe, 00000008.00000002.4621717301.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php#	explorha.exe, 00000008.00000002.4621717301.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	jok.exe, 00000020.00000002.4626441113.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/cost/go.exe0.1	MPGPH131.exe, 00000014.00000002.3124637144.000000000147B000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id4ResponseD	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/Pneh2sXQk0/index.php$	rundll32.exe, 00000017.00000002.4575050800.000002161D6AB000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
https://yip.su/RNWPd	InstallUtil.exe, 00000033.00000002.4166622967.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000033.00000002.4166622967.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false
http://193.233.132.56/cost/sarra.exe/z=	explorta.exe, 00000002.00000002.4589350907.0000000001A46000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/risepro_bot	RageMP131.exe, 00000030.00000003.2790787862.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2789324736.000000000110F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2821833886.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000030.00000003.2794468417.0000000001116000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	jok.exe, 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
49.13.229.86	unknown	Germany	24940	HETZNER-ASDE	true
172.67.193.220	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.111.84	unknown	United States	15169	GOOGLEUS	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.67.148.231	unknown	United States	13335	CLOUDFLARENETUS	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
193.233.132.56	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.21.60.76	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.67	unknown	United States	15169	GOOGLEUS	false
142.250.64.78	unknown	United States	15169	GOOGLEUS	false
142.251.40.131	unknown	United States	15169	GOOGLEUS	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.3	unknown	United States	15169	GOOGLEUS	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.67.211	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.165.132	unknown	United States	15169	GOOGLEUS	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
77.221.151.47	unknown	Russian Federation	30968	INFOBOX-ASInfoboxruAutonomousSystemRU	false
177.129.90.106	unknown	Brazil	262394	Internet58Ltda-MEBR	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.65.174	unknown	United States	15169	GOOGLEUS	false
147.45.47.126	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
142.251.40.238	unknown	United States	15169	GOOGLEUS	false
104.21.18.166	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.75.166	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.10	unknown	United States	15169	GOOGLEUS	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	false
142.251.40.100	unknown	United States	15169	GOOGLEUS	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
187.204.4.219	unknown	Mexico	8151	UninetSAdeCVMX	false
142.251.41.3	unknown	United States	15169	GOOGLEUS	false
104.21.76.57	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.182.192	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1437711
Start date and time:	2024-05-07 20:31:41 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	126
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	fjL0EcgV6Y.exe renamed because original name is a hash value
Original Sample Name:	6bcab686349807f131a92c8fe7a4d736.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@384/420@0/43
EGA Information:	Successful, ratio: 40%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target amert.exe, PID 5784 because it is empty
Execution Graph export aborted for target explorta.exe, PID 1292 because there are no executed function
Execution Graph export aborted for target fjL0EcgV6Y.exe, PID 1424 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: fjL0EcgV6Y.exe

Simulations

Behavior and APIs

Time	Type	Description
20:32:28	Task Scheduler	Run new task: explorta path: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
20:32:29	API Interceptor	3820x Sleep call for process: explorta.exe modified
20:32:39	Task Scheduler	Run new task: explorha path: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
20:32:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe
20:32:45	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
20:32:46	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
20:32:46	API Interceptor	37518x Sleep call for process: explorha.exe modified
20:32:50	API Interceptor	8x Sleep call for process: RegAsm.exe modified
20:32:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:32:55	API Interceptor	55x Sleep call for process: powershell.exe modified
20:32:57	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:33:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe C:\Users\user\1000021002\2c9ff67496.exe
20:33:03	API Interceptor	264x Sleep call for process: InstallUtil.exe modified
20:33:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run aea7caadbf.exe C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe
20:33:28	Task Scheduler	Run new task: NewB.exe path: C:\Users\user\AppData\Local\Temp\1000088001\NewB.exe
20:33:30	API Interceptor	4274x Sleep call for process: rundll32.exe modified
20:33:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:34:01	API Interceptor	639x Sleep call for process: jok.exe modified
20:34:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2c9ff67496.exe C:\Users\user\1000021002\2c9ff67496.exe
20:34:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0AhsRiT9HXP8nUVjVsC7lnJ0.bat
20:34:53	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0g2ftn8MzMEKjC1SL91RWtO0.bat
20:35:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0GMv9jZTcSw3m2Zzo1oAc5Kp.bat
20:35:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cEElHYdot58DykVLbQVOezn.bat
20:36:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ok8j6Gi15r9nn69GkEMiN0f.bat
20:36:37	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1OUEB4W7HwU4gIL2MQvEH1zP.bat
20:37:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1pHRZ1WVTkwE1Jqqj49K6TVM.bat

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1000020001\aea7caadbf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2204176
Entropy (8bit):	7.946698135836806
Encrypted:	false
SSDEEP:	49152:YF4+SacvZxqngqv+OIsAsaj46MBt3mGDDKHbxG2/MMF+9:YWvabnIlnMBtVqbx5NO
MD5:	9B38B95FC36FD9B330018EC18E7DEB9D
SHA1:	AF345696F24DB54679D45AAC9D9642D7F51355E8
SHA-256:	50666D01B555E2376B9CB9415309DCEAFCD7CE1F7C6B3DDCC66CFBC13B21B0C7
SHA-512:	AD0CD27DB2667A42A20751C0427EFF9DBFD4E3C1B2236781A90A99C5B60CFBFB045B40E43224EA68A9B805B654EE394FD40BB07200A625070DE813ACF1DC76B4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'............X`P...........@...........................g......c"...@..................................Q.......p.......................pg..............................`...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@... .........r..................@..@ X....p...L...D..............@..B.vm_sec..@.......@..................@....idata.......P......................@....tls.........`...........................rsrc........p......................@..@.themida. 5..@......................`....boot........`P.....................`..`.reloc.......pg.......!.

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9275844009195585
Encrypted:	false
SSDEEP:	192:AA7lN1S1X6c0BU/SrFaGszuiFPZ24IO84d3:DS1X6XBU/SrFadzuiFPY4IO84d3
MD5:	DDD6263A14FD4910B10B19BBCDBAE0A2
SHA1:	931B7391155AD0D244A704718AEE4DE2C4388CBA
SHA-256:	06BBBB332629E67F9539DD3C95B69A7B4C0822D7C3DF2E7230603556DC78ABED
SHA-512:	86669991A02BD3D1B111324005241B8FE089A160708A8DC6927ECB83CC0003B1B4206CDDC75DBC08819B41A2112590210319AEECD24DD64A1AC34895221C1D71
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.5.8.0.3.7.0.5.3.4.2.5.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.5.8.0.3.7.1.9.6.0.1.5.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.9.6.a.8.7.c.-.2.2.a.4.-.4.3.7.b.-.8.8.d.7.-.c.6.3.0.f.2.5.9.3.5.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.f.b.8.e.4.2.-.4.a.8.1.-.4.3.b.7.-.a.3.7.5.-.b.3.d.d.e.5.8.3.4.a.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.w.i.i.i.i.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.M.S.T.P...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.0.0.-.0.0.0.1.-.0.0.1.5.-.1.7.4.d.-.7.0.f.6.a.c.a.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.4.0.2.9.a.9.7.d.3.e.3.4.2.c.a.a.8.8.8.2.3.7.5.d.c.b.c.2.b.1.0.0.0.0.0.9.0.4.!.0.0.0.0.3.3.a.e.d.a.d.b.5.3.6.1.f.1.6.4.6.c.f.f.d.6.8.7.9.1.d.7.2.b.a.5.f.1.4.2.4.1.1.4.!.

Process:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1166336
Entropy (8bit):	7.035555795688903
Encrypted:	false
SSDEEP:	24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8aST2+b+HdiJUX:+TvC/MTQYxsWR7aST2+b+HoJU
MD5:	A45EC26929E9563254198D2B394D4D17
SHA1:	AE3A96692B8329349A0821C88E0C70BA742A4BBA
SHA-256:	DEA0833CAA54B6D05B170F0E0A46B0247D33D47B60F8A5B4BB87877ECAE352A6
SHA-512:	D650E3CB07EB009FDD23DD4A9513B17AE208FE6BE2E097FC0CCCFC37FD3C6F29B70E15DCA6330542D627A13CA776165D0C6D9D9807D0E2381875110815777127
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....i:f..........".................w.............@..........................0.......7....@...@.......@.....................d...\|....@..xa.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...xa...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Process:	C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2831872
Entropy (8bit):	7.076550333890677
Encrypted:	false
SSDEEP:	49152:jOvdoJl7MWepyIsE7ddkxuq8rW5vs0VaCQeb5tsQcGo:GYIscWxuq8rUlVaCQo5tsQG
MD5:	31841361BE1F3DC6C2CE7756B490BF0F
SHA1:	FF2506641A401AC999F5870769F50B7326F7E4EB
SHA-256:	222393A4AB4B2AE83CA861FAEE6DF02AC274B2F2CA0BED8DB1783DD61F2F37EE
SHA-512:	53D66FA19E8DB360042DADC55CAAA9A1CA30A9D825E23ED2A58F32834691EB2AAAA27A4471E3FC4D13E201ACCC43160436ED0E9939DF1CC227A62A09A2AE0019
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............C......C..9...C......R!......R!......C.............R!.....c"......c"......Rich....................PE..L...w.(f...............'..........................@...........................+...........@.................................0..P.............................+..I..0m..8...........................Hl..@..............0............................text............................... ..`.rdata...M.......N..................@..@.data...............................@....idata...........................@..@.00cfg........+....................@..@.reloc..qh....+..j....*.............@..B........................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	26604
Entropy (8bit):	5.05566078212972
Encrypted:	false
SSDEEP:	768:MSF6V3IpNBQkj2Nh4iUxGOPhfDwK6hXtHWrxMtAHkLH3MFNefyvCYo8YR:tF6V3CNBQkj2Nh4iUxGOpUKyXtWrxMtD
MD5:	4006065A6C506B3AE1EA1D6DBF476A7F
SHA1:	BE3A530DEFE631812F08CFE8ADA45B47384A270B
SHA-256:	88F575A6BAEB8008EF9B2D74D972F03DA701E478C92CC99D55346C993CA21909
SHA-512:	55B023AB4CE11616A34AC66E2A2F8553FC9EF2541834925FF8ACCE3FDB7C750FEEBD771A3D723751460CBCB866E3E8374FCD8A792E965C52EDA0941F87188CAC
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.(...mM.}.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem...."...Enable-DAManualEntryPointSelection....#...Set-DAClientExperienceConfiguration........Get-DAEntryPointTableItem........Remove-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Reset-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration........New-DAEntryPointTableItem....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

Process:	C:\Users\user\AppData\Local\Temp\1000019001\amert.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1907200
Entropy (8bit):	7.950710520033503
Encrypted:	false
SSDEEP:	49152:Uo4WRoi4htfnraPcTSzaMfzqmzb9EkJluWq:UkiruvLTP+Qlun
MD5:	F94CAD2EA8087F7452D99C57BF5C935E
SHA1:	FA47755DBC5C9DD1F4A7D5E18DE9D7A4178C3E0D
SHA-256:	86DAADC6D16A6BE5012B517E4EF49316BAC7EF6AA1C86CFC26CF0719DE9F0F75
SHA-512:	BBF608153AAE2C0FA77CA8F66FF16AB03CFAECA321144577C8860EE0A535617A4F5D854A6AAEEDB42CE97275A20817E1889594E7D76C97BADBAA015AB62F99DA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...o..e..............................K...... ....@...........................L.....h.....@.................................V...j.............................K.............................X.K..................................................... . ............................@....rsrc...............................@....idata ............................@... . +.........................@...tgqtxtnx......1.....................@...ouenqhoa......K.....................@....taggant.0....K.."..................@...................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\fjL0EcgV6Y.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1804304
Entropy (8bit):	7.951520514641467
Encrypted:	false
SSDEEP:	49152:haJmLsU7YRCWfNHICNUMjSd2HZmSTI3G/kPdLmas2:haJksZyCiMnk2cVq4
MD5:	6BCAB686349807F131A92C8FE7A4D736
SHA1:	487846C6D51F8DF894BB174542A81FD0EB25E1AE
SHA-256:	CCABD5BC8499C485E7ABAB1825F67A753A8CCFC822037F2368E3C6FA5F570926
SHA-512:	94E16B6336A1205CF624F8FCDBB2E32A2E85BE93A483D87369E3CD85B12A31F31A908C730709F40A91D0AE6A173554C66229BB44D4AC2295C29073741CE9014A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...yO&f............................X`<...........@...........................T.....)&....@..........................................0........................T.............................. ...................................................... J........,.................. ..` N........V...0..............@..@ .E... ......................@... .....p......................@..@ .K.......0..................@..B.vm_sec..@.......@..................@....idata..............................@....tls......... ...........................rsrc........0......................@..@.themida. 5..@......................`....boot....\|...`<..\|..................`..`.reloc........T........................@........................

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Reputation:	unknown
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

Process:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3713
Entropy (8bit):	7.898977270425516
Encrypted:	false
SSDEEP:	96:ZDXqhu71ICKGPZeuogoNg+jT/xAz5q1Pqz4JqxZ3KJa:tqhEeChZnvqgqyq1PK4JqZ6Ja
MD5:	32174A0DEFFB1267A7B4382C35980498
SHA1:	7E0DD6EFBE0AB6E28B3706986CC32E7E71A2D90A
SHA-256:	44293B82B3A9D867009C547C1D19CFC10A02BE55ED6545954CEC8B72D5C248D0
SHA-512:	48826A00B4EEB92F2AEE185FC0565724B549DBBEE16AAD395BBC707B27D4D98D1B7572355B120297460A39D1C4354071B235FDE6EF2817006B0451DF894685D5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\rwhVS5Gl_u4JEiZA0FdJsuV.zip, Author: Joe Security
Reputation:	unknown
Preview:	PK........5..X.!c5l....%......information.txt.ZYo.L.....`in..Mx]..v..-.....=.....^.6.h......O..Z..N...S...,Y.....&4..0x.`I~\|x\|...}.F;u.$.....z.}...cZ+7....S...O.J.'.B.ia.'...,4ua...1N..k"d...O.X....>i..4.P..:A....:M..ts......Ad#. .1...N.LV.R...8f......E.....`.m......K.1....J.H...a..jn.....7...=.....smo......,.....%.......1..s<.O.K..{:S.MN...!...q=/..,=1C.....t. .Y2.P.s$........%4.......U.3..Z.Aol0Hj..q.....o<....Co.Y..&.....q...;.L:.......EhF......,=7^I...P[j.......?..QF.'...,...4{.....>...{8.UA..W6...(s..`.8.Yx.AB._..R5..Q.7...X"D...bI.e..zfD1a5...#..aP.<K.....wm.VS..C~.:...q.$R.]K.(..&I.c.\..13fx...K..p.....$..!...q....A.}..(.`...n..%.........0.d..S.4..L..........Va\|Q.r......5..X..@#.......+7...QA..(s.F.V....."...;8........Y...pq.......>\..( .u...<I.7b...0}tgz... w\$w.W...Z.B....@/....U..P.....M.z..".E? ,...wl....m.B.s.VCU..p.....w..I.qH.Lv'0......\.:(.,s}....&B..CwR..1....J.?o;...4..N.....c.8.t.....N.aP..g8._?e.S?L.(..`

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	unknown
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Entrypoint:	0x7c6058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66264F79 [Mon Apr 22 11:52:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9dfe5757453ac4b6ed82bf0cf7ab0266

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7109f	0xc0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x7e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54e000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x72018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x4e44a	0x22c00	b3741ec845f2c87aa9673079ff6ba253	False	0.9998032823741008	data	7.9986498410293665	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x50000	0x11c4e	0x5600	ef3ed846f14fdf6a20a6e8d9430f498a	False	0.9933230377906976	data	7.975372423268159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x62000	0x45a4	0x800	7700f99aa08eca59d048d55f978471ce	False	1.00537109375	data	7.831755034911041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x67000	0x1e0	0x200	07779f19ea5a8ab384d22679e5783d69	False	0.888671875	data	6.61378974665399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x68000	0x4bc4	0x3000	5fb915269ca9d01be37f8657a0a9104f	False	0.9834798177083334	data	7.942878619830215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vm_sec	0x6d000	0x4000	0x4000	68180fe73d5900cc170f3a2cc49bb05c	False	0.16583251953125	data	2.9434603833210717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x71000	0x1000	0x200	f9eef23d1138690aeba265ff5448dfca	False	0.3828125	data	2.863715215086496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x72000	0x1000	0x200	f6363c53ce07d09b61b63b66eb8cf6ba	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x73000	0x1000	0x800	87acbb71b21ab4ae100181a4447d8be5	False	0.4111328125	data	5.44897069280421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x74000	0x352000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x3c6000	0x187c00	0x187c00	59e91b6cbd6c7d6dd68460432e7d05e5	False	0.9909273791480536	OpenPGP Secret Key	7.956255917420769	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x54e000	0x1000	0x10	e9e9559f85469b458c40ee7aae3a2776	False	1.5	GLS_BINARY_LSB_FIRST	2.349601752714581	IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x73078	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727
RT_MANIFEST	0x73208	0x5d7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.43478260869565216

DLL	Import
kernel32.dll	GetModuleHandleA
ADVAPI32.dll	RegCloseKey
SHELL32.dll	SHGetFolderPathA
ole32.dll	CoUninitialize
WININET.dll	HttpOpenRequestA
WS2_32.dll	closesocket

Target ID:	0
Start time:	20:32:26
Start date:	07/05/2024
Path:	C:\Users\user\Desktop\fjL0EcgV6Y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fjL0EcgV6Y.exe"
Imagebase:	0xdb0000
File size:	1'804'304 bytes
MD5 hash:	6BCAB686349807F131A92C8FE7A4D736
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2083851627.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2064758030.0000000003380000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	20:32:32
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Imagebase:
File size:	1'804'304 bytes
MD5 hash:	6BCAB686349807F131A92C8FE7A4D736
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	20:32:36
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000019001\amert.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Imagebase:	0xe30000
File size:	1'907'200 bytes
MD5 hash:	F94CAD2EA8087F7452D99C57BF5C935E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2239011126.0000000000E31000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2177043340.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	20:32:44
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x610000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fjL0EcgV6Y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DAAECAFH

Windows Analysis Report
fjL0EcgV6Y.exe

Target ID:	21
Start time:	20:32:49
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Imagebase:	0x80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	32
Start time:	20:32:51
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000071001\jok.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Imagebase:	0x490000
File size:	311'296 bytes
MD5 hash:	8510BCF5BC264C70180ABE78298E4D5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000000.2311996086.0000000000492000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.4626441113.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, Author: Joe Security
Has exited:	false

Target ID:	38
Start time:	20:32:53
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000073001\swiy.exe"
Imagebase:	0xbc0000
File size:	162'304 bytes
MD5 hash:	317465164F61FE462864A65B732CCC13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000026.00000002.2353073715.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	43
Start time:	20:32:56
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Imagebase:	0x246c0a50000
File size:	534'152 bytes
MD5 hash:	C1D583657C7FE7973F820983FD1ABB81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002B.00000002.3082608256.00000246C2631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	50
Start time:	20:33:01
Start date:	07/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	1045
Total number of Limit Nodes:	21

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre