Windows Analysis Report
bUWKfj04aU.exe

Overview

General Information

Sample name:	bUWKfj04aU.exe renamed because original name is a hash value
Original sample name:	b9a582f60e89571526c4a6dacbb6a576.exe
Analysis ID:	1425954
MD5:	b9a582f60e89571526c4a6dacbb6a576
SHA1:	0fe5061a1a4aa43d2ba13e954813746cef08292a
SHA256:	a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
Tags:	exe
Infos:

Detection

LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates an undocumented autostart registry key

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the System eventlog

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUWKfj04aU.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2

Found malware configuration

Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "185.172.128.33:8970", "Bot Id": "@OLEH_PSP", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}
Source: 26.0.NewB.exe.190000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: RegAsm.exe.1424.21.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Virustotal: Detection: 82%	Perma Link
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Virustotal: Detection: 44%	Perma Link

Multi AV Scanner detection for submitted file

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bUWKfj04aU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pillowbrocccolipe.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: communicationgenerwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diskretainvigorousiw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dismissalcylinderhostw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enthusiasimtitleow.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: worryfillvolcawoi.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cleartotalfisherwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LGNDR1--ketamine
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 185.172.128.19
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: S-%lu-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cd1f156d67
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Utsysc.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SCHTASKS
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /TR "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Startup
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Delete /TN "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Programs
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: %USERPROFILE%
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: http://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: https://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Plugins/
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &unit=
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shell32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: kernel32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProgramData\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: AVAST Software
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Kaspersky Lab
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Panda Security
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Doctor Web
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 360TotalSecurity
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Bitdefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Norton
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Sophos
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Comodo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: WinDefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 0123456789
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ------
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ?scr=1
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -unicode-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: VideoID
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProductName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CurrentBuild
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " /P "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :R" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :F" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &&Exit
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: "taskkill /f /im "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && timeout 1 && del
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: && Exit"
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && ren
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Powershell.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shutdown -s -t 0
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /w']fC
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: vw(hF=

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57 CryptUnprotectData,		21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004162C7 CryptUnprotectData,		29_2_004162C7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Uni400uni.exe PID: 7684, type: MEMORYSTR

Uses 32bit PE files

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	21_2_004212B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	21_2_00415390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	21_2_0043B800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	21_2_00435ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	21_2_00409D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00414F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_0041403B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then test edi, edi	21_2_0043A0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	21_2_00432140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+000001C0h]	21_2_00424240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_00415216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	21_2_0043822F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	21_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_0041B2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	21_2_00439461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h]	21_2_0041347E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	21_2_004384D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	21_2_004025E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_00416582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then not ecx	21_2_004176E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	21_2_00413722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000180h]	21_2_00411739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_0040F7CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	21_2_0041B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_0043799B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_00416A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_00417BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041FBB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	21_2_00416E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push edi	21_2_0040FED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041EF19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi]	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	29_2_004162C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	29_2_00409BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc edi	29_2_00402CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	29_2_00411007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00424038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	29_2_004210E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	29_2_004110A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004231D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ecx	29_2_00414190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	29_2_004171A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+000000BCh]	29_2_0041B230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004122E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_004232E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	29_2_004183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	29_2_0042E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_004223FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	29_2_00423381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	29_2_00414397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	29_2_0042342A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	29_2_00402620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	29_2_0041D634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+74h]	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_00421768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edx	29_2_0041D878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	29_2_0041F94E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esi+000000D4h]	29_2_00420A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	29_2_0041DBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	29_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_0041FFD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00423FF3

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 185.172.128.33:8970

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: vFvvln76msVyiTRvQQMSlc4y.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 6A6tSzDSK6P9F6s9kkiOZkgA.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: a3XC8JYF0aYXxIZPljcBh92I.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0ZzXdtKbBOkMTYdVV1HNUsqT.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: xIvgySaF2JVAOfOVBY400p1d.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: gxNMHUmIRRsTpoh2kGfIr9lW.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IA1JiyWIGEvHCZKTDOlZNrXb.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: YtkUkgpbmZlbSuZT81owPAOw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: yybBRlcB659iEk7Vesfqc6Zw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: SlwT2Dhb0jcRK2apeSa3FdHE.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: swXqwxxcUE7SVCRYdUBHf3nm.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IKulK0lzJvII432wpHMkGWRw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: domCqD7LBg1Q0KxGLvuFe0Aj.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uWDQa01moDg0YUv8UXTjuXuR.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: dkk7cRVuWpprbxEbDlw69GrM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: h9MmfvkW2XknV10h725GOqVL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: UvmCGtz1aYTjhcoAhykwCuQw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: CCF32f9je00j8IZrr0Ff4c4t.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: EqvNTTWJsgdaHBZM2vNGyoMV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0zuHPkqadZGFhsedqfFjHrEV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: oxW5doxruDrLfkxekfdC42S3.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: RvrkjxBwedY81Y68Ne47TzMs.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Stj0rnzdLizcr79amRyA4wnp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 1Cki827fF40ubJ4RMKyP3Elr.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 33tIGBzVuCMQl3Wc6IvtNEjP.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: v05bbHszTdSghZlrnH5jWCvs.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 39.2.file300un.exe.27ab92961f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.25500086af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.255000840b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.file300un.exe.27ab92937b8.2.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.172.128.90 185.172.128.90

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008CC990 recv,recv,recv,recv,

0_2_008CC990

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: #www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.opera.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 0000001D.00000002.2670127283.0000000001375000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 0000001D.00000002.3031292972.0000000003570000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiA
Source: RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiW
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30D9F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, propro.exe, 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2650906169.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/api
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/apip
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: svchost.exe, 00000013.00000003.2285131926.0000025E5364E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/education.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/get.
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.opera.com/latest/
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/
Source: NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/45c777cd634b90d85bd90992c72a11ec/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/AV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/IV
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/a638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/iV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/qV
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/eula/computers
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms.
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://opera.com/privacy
Source: NewB.exe, 00000017.00000003.2332224399.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parrotflight.com/4767d2e713f2021e8fe856e3ea638b58.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://policies.google.com/terms;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://sourcecode.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://telegram.org/tos/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://twitter.com/en/tos;
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com..
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/download/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.whatsapp.com/legal;
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0042B190 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

29_2_0042B190

Installs a raw input device (often for capturing keystrokes)

Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7d0672c4-d

Drops certificate files (DER)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBCE6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3775.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3776.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBD35.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

.NET source code contains very large array initializations

Source: gold[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: gold.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: swiiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472

PE file contains section with special chars

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ACC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	26_2_001ACC87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004371C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004322C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004372F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00438470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004344DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004376C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004166A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004177E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00433CF7 NtOpenSection,	29_2_00433CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00434D0A NtMapViewOfSection,	29_2_00434D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004180C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00413145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00430450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004136F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041BA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00418B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416E36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423FF3

Creates files inside the system directory

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Windows\Tasks\explorgu.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_009024D0	0_2_009024D0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008C60E0	0_2_008C60E0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906809	0_2_00906809
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_0090707B	0_2_0090707B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00902968	0_2_00902968
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00907EB0	0_2_00907EB0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F7780	0_2_008F7780
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906F5B	0_2_00906F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448CCAB	8_2_00007FFD3448CCAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34489EE0	8_2_00007FFD34489EE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344907A0	8_2_00007FFD344907A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448C99D	8_2_00007FFD3448C99D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34492171	8_2_00007FFD34492171
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EADC	8_2_00007FFD3448EADC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EB21	8_2_00007FFD3448EB21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448A3FA	8_2_00007FFD3448A3FA
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C38	10_2_00FC0C38
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C28	10_2_00FC0C28
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC09B0	10_2_00FC09B0
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC099F	10_2_00FC099F
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Code function: 17_2_00B70A2F	17_2_00B70A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00425183	21_2_00425183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421670	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57	21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404C40	21_2_00404C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421F80	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00410060	21_2_00410060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401000	21_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041D128	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B130	21_2_0043B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00408250	21_2_00408250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404260	21_2_00404260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403370	21_2_00403370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B470	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00436480	21_2_00436480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406610	21_2_00406610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004216CE	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401740	21_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403770	21_2_00403770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00405890	21_2_00405890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406C20	21_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041DD72	21_2_0041DD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426E67	21_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426F29	21_2_00426F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426FA0	21_2_00426FA0
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D30F8	26_2_001D30F8
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B6283	26_2_001B6283
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D8640	26_2_001D8640
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B16F3	26_2_001B16F3
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D76EB	26_2_001D76EB
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D780B	26_2_001D780B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D2C60	26_2_001D2C60
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B3EE2	26_2_001B3EE2
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C7F10	26_2_001C7F10
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B0F04	26_2_001B0F04
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D6F99	26_2_001D6F99
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Code function: 27_2_00D20E8F	27_2_00D20E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00404AB0	29_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0042404C	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401000	29_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004040E0	29_2_004040E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004301F0	29_2_004301F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004051B0	29_2_004051B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403350	29_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A300	29_2_0040A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00411410	29_2_00411410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004064F0	29_2_004064F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403740	29_2_00403740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401740	29_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00405700	29_2_00405700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406BF0	29_2_00406BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00420BFA	29_2_00420BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DDB7	29_2_0041DDB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423F4D	29_2_00423F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00407FE0	29_2_00407FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3	29_2_00423FF3

Enables security privileges

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408C90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409160 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408A40 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004092E0 appears 160 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001AE080 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001A8580 appears 137 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001ADA42 appears 83 times

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564

PE file contains executable resources (Code or Archives)

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: alexxxxxxxx.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Uses 32bit PE files

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: alexxxxxxxx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUWKfj04aU.exe	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: bUWKfj04aU.exe	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084
Source: explorgu.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: explorgu.exe.0.dr	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@170/306@0/30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042A936 CoCreateInstance,

21_2_0042A936

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

File created: C:\Users\user\AppData\Roaming\006700e5a2ab05

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7684
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5564
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Users\user\AppData\Local\Temp\00c07260dc

Jump to behavior

Source: Yara match	File source: 00000023.00000003.3016446842.0000000005841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5ps.1.exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%

Source: bUWKfj04aU.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\user\Desktop\bUWKfj04aU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bUWKfj04aU.exe "C:\Users\user\Desktop\bUWKfj04aU.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 920
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 500 -p 7684 -ip 7684
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7684 -s 1076
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dlnashext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wpdshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: bUWKfj04aU.exe

Static file information: File size 1858560 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: bUWKfj04aU.exe

Static PE information: Raw size of icxmwjzd is bigger than: 0x100000 < 0x196c00

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Unpacked PE file: 0.2.bUWKfj04aU.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW; vs :ER;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW;

Binary contains a suspicious time stamp

Source: gold[1].exe.2.dr

Static PE information: 0x88C65EDB [Fri Sep 19 01:09:47 2042 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: luxgzuin

PE file contains an invalid checksum

Source: clip64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii.exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: gold.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: alexxxxxxxx.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: cred64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: gold[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: cred64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: clip64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii[1].exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

PE file contains sections with non-standard names

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd
Source: bUWKfj04aU.exe	Static PE information: section name: luxgzuin
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd
Source: explorgu.exe.0.dr	Static PE information: section name: luxgzuin
Source: cred64[1].dll.2.dr	Static PE information: section name: _RDATA
Source: cred64.dll.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61000 push ecx; mov dword ptr [esp], 1396ED17h	0_2_00D61010
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 405F94C5h; mov dword ptr [esp], edx	0_2_00D6109F
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 325606AEh; mov dword ptr [esp], esi	0_2_00D610D3
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push edx; mov dword ptr [esp], 6F7BB987h	0_2_00D610E1
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 665B66C3h; mov dword ptr [esp], esi	0_2_00D61174
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push 03BCB4D5h; mov dword ptr [esp], esp	0_2_00D611A5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push esi; mov dword ptr [esp], eax	0_2_00D611C5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008DD2A1 push ecx; ret	0_2_008DD29F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344800BD pushad ; iretd	8_2_00007FFD344800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043F5AC push esi; retn 0048h	21_2_0043F5AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC64 push eax; iretd	21_2_0043FC65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00440C13 push ecx; ret	21_2_00440C17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC98 push AA77266Eh; iretd	21_2_0043FC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FD86 pushfd ; ret	21_2_0043FD87
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AE0C6 push ecx; ret	26_2_001AE0D9
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001A3440 push ss; ret	26_2_001A3447
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADA1C push ecx; ret	26_2_001ADA2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043E05C push ss; retf	29_2_0043E099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043CE48 push es; retn 0043h	29_2_0043CE49

Source: bUWKfj04aU.exe	Static PE information: section name: entropy: 7.980453073658566
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: explorgu.exe.0.dr	Static PE information: section name: entropy: 7.980453073658566
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: alexxxxxxxx.exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: gold[1].exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: gold.exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: swiiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ISetup8[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FirstZ[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Uni400uni[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe

File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F

Creates job files (autostart)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001AC858 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001AC858

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87A second address: A8F87E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87E second address: A8F891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194DDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F891 second address: A8F8D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738AFBE67h 0x0000000e jmp 00007F0738AFBE61h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0657 second address: AA066A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0738B194DBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066A second address: AA066F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066F second address: AA0677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA08EF second address: AA0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A8C second address: AA0A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A94 second address: AA0A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A9B second address: AA0AAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0738B194E2h 0x00000008 jbe 00007F0738B194D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0BFC second address: AA0C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C00 second address: AA0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C0E second address: AA0C46 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0738AFBE66h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE62h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C46 second address: AA0C5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007F0738B194E4h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3751 second address: AA3755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3755 second address: AA3793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F0738B194D8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, dword ptr [ebp+122D3875h] 0x0000002c call 00007F0738B194D9h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3793 second address: AA3797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3797 second address: AA379D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA379D second address: AA37A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37A3 second address: AA37D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F0738B194DDh 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F0738B194E3h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37D9 second address: AA37DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37DD second address: AA37E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37E1 second address: AA386E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jnc 00007F0738AFBE60h 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F0738AFBE58h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jnc 00007F0738AFBE62h 0x00000038 push 00000003h 0x0000003a sub dword ptr [ebp+122D2C25h], esi 0x00000040 push 00000000h 0x00000042 pushad 0x00000043 and dx, 1700h 0x00000048 mov dword ptr [ebp+122D2ADBh], eax 0x0000004e popad 0x0000004f push 00000003h 0x00000051 movzx ecx, bx 0x00000054 call 00007F0738AFBE59h 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c jmp 00007F0738AFBE60h 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA386E second address: AA38A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738B194EAh 0x00000008 jmp 00007F0738B194E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0738B194E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA38A6 second address: AA38C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA39D0 second address: AA3A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F0738B194D6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f push edi 0x00000010 mov dword ptr [ebp+122D2B03h], edi 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 add edx, 6EC11199h 0x0000001f push EF153085h 0x00000024 jmp 00007F0738B194DBh 0x00000029 add dword ptr [esp], 10EACFFBh 0x00000030 mov dword ptr [ebp+122D2D56h], eax 0x00000036 push 00000003h 0x00000038 sub dword ptr [ebp+122D2AD7h], esi 0x0000003e mov esi, ebx 0x00000040 push 00000000h 0x00000042 add dword ptr [ebp+122D29B2h], ebx 0x00000048 push 00000003h 0x0000004a mov edx, dword ptr [ebp+122D2D6Dh] 0x00000050 call 00007F0738B194D9h 0x00000055 jmp 00007F0738B194E0h 0x0000005a push eax 0x0000005b jmp 00007F0738B194DCh 0x00000060 mov eax, dword ptr [esp+04h] 0x00000064 pushad 0x00000065 pushad 0x00000066 jc 00007F0738B194D6h 0x0000006c jmp 00007F0738B194E0h 0x00000071 popad 0x00000072 push ebx 0x00000073 pushad 0x00000074 popad 0x00000075 pop ebx 0x00000076 popad 0x00000077 mov eax, dword ptr [eax] 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jng 00007F0738B194D6h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B2E second address: AA3B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B46 second address: AA3C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 movzx ecx, si 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2C6Ah], ecx 0x0000001b push 3F7F2421h 0x00000020 jmp 00007F0738B194DDh 0x00000025 xor dword ptr [esp], 3F7F24A1h 0x0000002c call 00007F0738B194E0h 0x00000031 mov esi, 5C752D2Bh 0x00000036 pop ecx 0x00000037 push 00000003h 0x00000039 call 00007F0738B194E7h 0x0000003e mov dword ptr [ebp+12447864h], ebx 0x00000044 pop edi 0x00000045 push 00000000h 0x00000047 mov esi, dword ptr [ebp+122D39D1h] 0x0000004d push 00000003h 0x0000004f jc 00007F0738B194DBh 0x00000055 sub dx, 0F20h 0x0000005a and esi, 630DD230h 0x00000060 call 00007F0738B194D9h 0x00000065 jmp 00007F0738B194E0h 0x0000006a push eax 0x0000006b jmp 00007F0738B194E3h 0x00000070 mov eax, dword ptr [esp+04h] 0x00000074 push eax 0x00000075 jns 00007F0738B194DCh 0x0000007b pop eax 0x0000007c mov eax, dword ptr [eax] 0x0000007e push edi 0x0000007f jnp 00007F0738B194ECh 0x00000085 jmp 00007F0738B194E6h 0x0000008a pop edi 0x0000008b mov dword ptr [esp+04h], eax 0x0000008f pushad 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C3E second address: AA3C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C56 second address: AA3CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0738B194D8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2BA4h], esi 0x00000028 push edi 0x00000029 movsx edi, bx 0x0000002c pop ecx 0x0000002d lea ebx, dword ptr [ebp+1244B697h] 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F0738B194D8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d adc cx, DEA1h 0x00000052 jg 00007F0738B194DCh 0x00000058 mov dword ptr [ebp+122D2A96h], ecx 0x0000005e xchg eax, ebx 0x0000005f je 00007F0738B194E4h 0x00000065 push edi 0x00000066 jmp 00007F0738B194DCh 0x0000006b pop edi 0x0000006c push eax 0x0000006d jl 00007F0738B194E2h 0x00000073 js 00007F0738B194DCh 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4175 second address: AC4182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4182 second address: AC418A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC418A second address: AC418F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC21F4 second address: AC2201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jc 00007F0738B194D6h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2308 second address: AC230E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC230E second address: AC2312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A40 second address: AC2A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A45 second address: AC2A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A4B second address: AC2A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A51 second address: AC2A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D3D second address: AC2D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D43 second address: AC2D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2EA5 second address: AC2EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF3 second address: AC2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF9 second address: AC3011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0738AFBE5Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC3011 second address: AC3016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC315C second address: AC319B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0738AFBE5Dh 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007F0738AFBE56h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007F0738AFBE56h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0738AFBE61h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A92E28 second address: A92E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 jns 00007F0738B194D6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4001 second address: AC4033 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE64h 0x00000012 jmp 00007F0738AFBE5Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4033 second address: AC4038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DDB second address: AC6DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DE0 second address: AC6DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEA second address: AC6DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEE second address: AC6E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F0738B194E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0738B194E2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6E22 second address: AC6E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72B0 second address: AC72D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72D5 second address: AC72F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C0D second address: AC5C22 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0738B194D8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C22 second address: AC5C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6383 second address: AC638E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC7676 second address: AC769C instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0738AFBE62h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC769C second address: AC76B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC76B0 second address: AC76BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A96408 second address: A9642B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE2 second address: ACECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE8 second address: ACECED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECED second address: ACED14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE65h 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0738AFBE58h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE331 second address: ACE34A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE34A second address: ACE352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE4A5 second address: ACE4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE94F second address: ACE955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE955 second address: ACE959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE959 second address: ACE986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE63h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE986 second address: ACE98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE98A second address: ACE994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE994 second address: ACE99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE99E second address: ACE9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB60 second address: ACEB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB64 second address: ACEB70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB70 second address: ACEB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB74 second address: ACEB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD1F39 second address: AD1F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2001 second address: AD2006 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2006 second address: AD203C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0738B194E6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jng 00007F0738B194D8h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD203C second address: AD2045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2045 second address: AD2049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2049 second address: AD20C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F0738AFBE63h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ecx 0x00000017 jnp 00007F0738AFBE6Ah 0x0000001d pop ecx 0x0000001e pop eax 0x0000001f sub esi, 384566D2h 0x00000025 call 00007F0738AFBE59h 0x0000002a jmp 00007F0738AFBE66h 0x0000002f push eax 0x00000030 jc 00007F0738AFBE5Ah 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a pushad 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20C2 second address: AD20CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20CC second address: AD20DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20DA second address: AD20E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD246B second address: AD2470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2470 second address: AD247F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD247F second address: AD2483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2483 second address: AD2487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2638 second address: AD2642 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E4 second address: AD30E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E8 second address: AD30EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD335D second address: AD3363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3363 second address: AD3384 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F0738AFBE56h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 jmp 00007F0738AFBE5Ah 0x00000015 pop edi 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3384 second address: AD338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0738B194D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD338F second address: AD3395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4337 second address: AD433B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD416E second address: AD418D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD418D second address: AD4192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD531C second address: AD5326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5326 second address: AD532A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD532A second address: AD5388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1244BF8Fh], esi 0x0000000e sub si, 1085h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F0738AFBE58h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+1244D3E9h], ecx 0x00000035 jmp 00007F0738AFBE66h 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+1244D405h], ebx 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5388 second address: AD538C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5C59 second address: AD5C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD6A08 second address: AD6A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADA20F second address: ADA215 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE95C second address: ADE9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push edi 0x0000000a sub edi, dword ptr [ebp+122DB47Bh] 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0738B194D8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d and edi, dword ptr [ebp+122D384Dh] 0x00000033 push 00000000h 0x00000035 mov edi, eax 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jne 00007F0738B194D6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE9A8 second address: ADE9B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAE4 second address: ADEAF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAF7 second address: ADEB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEB01 second address: ADEB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0995 second address: AE0A0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D3A75h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F0738AFBE58h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 movsx ebx, dx 0x0000003a mov eax, dword ptr [ebp+122D1355h] 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007F0738AFBE58h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a movsx ebx, di 0x0000005d push FFFFFFFFh 0x0000005f push eax 0x00000060 clc 0x00000061 pop ebx 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 push edx 0x00000066 push edi 0x00000067 pop edi 0x00000068 pop edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0A0A second address: AE0A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A18 second address: AE1A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007F0738AFBE5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A25 second address: AE1AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0738B194D8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d movzx ebx, cx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F0738B194D8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 mov edi, 691D45B0h 0x00000056 mov eax, dword ptr [ebp+122D02F5h] 0x0000005c push FFFFFFFFh 0x0000005e sub dword ptr [ebp+122D2D04h], edi 0x00000064 nop 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F0738B194DFh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1AC2 second address: AE1AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE62h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3797 second address: AE37A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37A1 second address: AE37B3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B3 second address: AE37B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B7 second address: AE37C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47AE second address: AE47B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398A second address: AE398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47B9 second address: AE47BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398E second address: AE3994 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47BD second address: AE4846 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F0738B194D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F0738B194D8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007F0738B194D8h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e jl 00007F0738B194E3h 0x00000064 jmp 00007F0738B194DDh 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jnc 00007F0738B194D6h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3994 second address: AE3999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE4846 second address: AE484C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE484C second address: AE4852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5903 second address: AE5964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E3h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e add di, 4594h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F0738B194D8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f movzx ebx, si 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov dword ptr [ebp+1244D249h], edx 0x0000003b mov ah, A7h 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 jbe 00007F0738B194DCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5964 second address: AE5983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F0738AFBE63h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5983 second address: AE598C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B07 second address: AE9B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F0738AFBE58h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 movsx edi, cx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F0738AFBE58h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov bl, 3Eh 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B5E second address: AE9B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0738B194D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAA43 second address: AEAA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B69 second address: AE6B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B6D second address: AE6B8F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 pop edi 0x00000014 jc 00007F0738AFBE5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9D79 second address: AE9D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F0738B194DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAD0 second address: AEBAED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAED second address: AEBAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC85 second address: AEAC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAF1 second address: AEBB09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jne 00007F0738B194D6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC9C second address: AEACAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB09 second address: AEBB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E3h 0x00000008 jmp 00007F0738B194E8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0738B194D8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b add dword ptr [ebp+122D29E3h], edi 0x00000031 push 00000000h 0x00000033 clc 0x00000034 push 00000000h 0x00000036 mov ebx, dword ptr [ebp+1244C9CBh] 0x0000003c xchg eax, esi 0x0000003d jmp 00007F0738B194E1h 0x00000042 push eax 0x00000043 pushad 0x00000044 jng 00007F0738B194DCh 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB8E second address: AEBB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEDEB4 second address: AEDEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F0738B194E4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF0CFC second address: AF0D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F0738AFBE5Dh 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FD4 second address: AF5FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FF2 second address: AF6010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0738AFBE68h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6010 second address: AF6014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6014 second address: AF601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF56C0 second address: AF56D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E0h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF939D second address: AF93A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EA2 second address: A97EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EAF second address: A97EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EB3 second address: A97ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F0738B194E7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97ED2 second address: A97EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF5F6 second address: AFF610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E0h 0x00000009 jnl 00007F0738B194D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF610 second address: AFF61E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C2 second address: AFF8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C6 second address: AFF8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8CD second address: AFF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194DCh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA46 second address: AFFA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA4C second address: AFFA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFD9A second address: AFFDBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F0738AFBE56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFF5A second address: AFFF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B05AA9 second address: B05AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B047C1 second address: B04804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0738B194D6h 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 jo 00007F0738B194D6h 0x00000016 pop esi 0x00000017 push esi 0x00000018 jmp 00007F0738B194DDh 0x0000001d jmp 00007F0738B194E9h 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04804 second address: B04818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04818 second address: B0481C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04967 second address: B04989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE69h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04989 second address: B049AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0738B194E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F0738B194D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044DE second address: B044E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044E2 second address: B044F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jc 00007F0738B194D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E2 second address: B051E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E7 second address: B051FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0738B194D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051FA second address: B05238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0738AFBE64h 0x00000010 jns 00007F0738AFBE56h 0x00000016 popad 0x00000017 js 00007F0738AFBE68h 0x0000001d jmp 00007F0738AFBE62h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A913E8 second address: A913FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jg 00007F0738B194D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA05 second address: ADBA1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F0738AFBE56h 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA1C second address: ADBA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jo 00007F0738B194E5h 0x00000010 pushad 0x00000011 jmp 00007F0738B194DBh 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D2C6Ah], esi 0x00000020 push BE79C39Fh 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA4B second address: ADBA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE67h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB1 second address: ADBCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB5 second address: ADBCCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF3 second address: ADBEF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF9 second address: ADBF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F0738AFBE58h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a ja 00007F0738AFBE59h 0x00000030 push 00000004h 0x00000032 adc ecx, 490CB917h 0x00000038 nop 0x00000039 push ebx 0x0000003a jmp 00007F0738AFBE5Ah 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jo 00007F0738AFBE5Ch 0x00000049 js 00007F0738AFBE56h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31A second address: ADC31F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31F second address: ADC331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007F0738AFBE64h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC331 second address: ADC335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC335 second address: ADC3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0738AFBE58h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov dword ptr [ebp+1244868Bh], edi 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0738AFBE58h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov cl, 24h 0x00000045 nop 0x00000046 jmp 00007F0738AFBE69h 0x0000004b push eax 0x0000004c pushad 0x0000004d jno 00007F0738AFBE5Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B0 second address: ADC3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B4 second address: ADC3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC794 second address: ADC798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC798 second address: ADC7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jng 00007F0738AFBE58h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jnl 00007F0738AFBE58h 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a pop ecx 0x0000001b lea eax, dword ptr [ebp+124830FBh] 0x00000021 or dword ptr [ebp+1244D0A1h], eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jo 00007F0738AFBE56h 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC7CC second address: ADC7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B5 second address: B0F1B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B9 second address: B0F1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F2F6 second address: B0F32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0738AFBE61h 0x0000000b popad 0x0000000c jmp 00007F0738AFBE67h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007F0738AFBE56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F32F second address: B0F34A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F0738B194E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F34A second address: B0F366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0738AFBE5Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F366 second address: B0F38F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F0738B194D6h 0x00000011 jmp 00007F0738B194E4h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0FBE0 second address: B0FC19 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0738AFBE56h 0x00000008 jmp 00007F0738AFBE64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0738AFBE68h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11693 second address: B11699 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11699 second address: B1169F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16417 second address: B1641C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1641C second address: B16436 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738AFBE6Ch 0x00000008 jmp 00007F0738AFBE60h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AE8 second address: B16AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AEC second address: B16B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE5Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16EEA second address: B16F16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F0738B194D6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F16 second address: B16F26 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F26 second address: B16F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B17084 second address: B1708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708A second address: B1708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708F second address: B170AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE67h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B170AB second address: B170F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F0738B194E1h 0x0000000b jmp 00007F0738B194E3h 0x00000010 jmp 00007F0738B194E8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172B1 second address: B172CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738AFBE69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172CF second address: B172D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBDB second address: B1BBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE2 second address: B1BBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE8 second address: B1BBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B4FA second address: B1B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B506 second address: B1B50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B7A6 second address: B1B7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DF6E second address: B1DF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB37 second address: B1DB3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB3D second address: B1DB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738AFBE5Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23688 second address: B2368D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2368D second address: B23699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0738AFBE56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC18B second address: ADC190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C54 second address: B23C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jbe 00007F0738AFBE79h 0x0000000f jmp 00007F0738AFBE62h 0x00000014 jmp 00007F0738AFBE61h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C86 second address: B23CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E5h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26E7B second address: B26EAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0738AFBE69h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EAE second address: B26EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EB5 second address: B26EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EBD second address: B26EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27047 second address: B27050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27050 second address: B27054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27054 second address: B27058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27058 second address: B2706A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0738B194D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2706A second address: B2706E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A7D7 second address: B2A81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007F0738B194D6h 0x0000000e jmp 00007F0738B194E8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 jmp 00007F0738B194E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A81C second address: B2A825 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAD2 second address: B2AAE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE0 second address: B2AAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE4 second address: B2AAEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC81 second address: B2AC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC8B second address: B2ACA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ACA0 second address: B2ACC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0738AFBE56h 0x0000000e jmp 00007F0738AFBE62h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ADFB second address: B2ADFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF48 second address: B2AF4E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF4E second address: B2AF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E5h 0x0000000b pushad 0x0000000c jnp 00007F0738B194D6h 0x00000012 jnp 00007F0738B194D6h 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF7A second address: B2AF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F0738AFBE60h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B32A19 second address: B32A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3335E second address: B33372 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F0738AFBE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33372 second address: B33390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0738B194E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33390 second address: B33394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B336CA second address: B336D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F60 second address: B33F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F66 second address: B33F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F6A second address: B33F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B345EF second address: B34626 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738B194E5h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0738B194E7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B34626 second address: B3462A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3462A second address: B3463E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386C2 second address: B386CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386CA second address: B386E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194E0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37939 second address: B37943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37943 second address: B3794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3794D second address: B3795D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE5Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA5 second address: B37AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA9 second address: B37AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E98 second address: B37E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E9E second address: B37EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EBB second address: B37EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738B194D6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EC6 second address: B37ED0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400DD second address: B400ED instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D6h 0x00000008 jp 00007F0738B194D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400ED second address: B40102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F0738AFBE56h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47D9D second address: B47DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47DA2 second address: B47DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46036 second address: B46075 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194ECh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E4h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F0738B194D6h 0x0000001a jmp 00007F0738B194E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46075 second address: B460A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738AFBE5Fh 0x0000000e push edi 0x0000000f jg 00007F0738AFBE56h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463C9 second address: B463CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463CD second address: B463E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463E5 second address: B46403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0738B194D8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46403 second address: B4640A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4651C second address: B46536 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0738B194DCh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F0738B194D6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46816 second address: B4681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4681C second address: B46820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46820 second address: B46824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D767 second address: B4D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D76B second address: B4D783 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738AFBE56h 0x00000008 jc 00007F0738AFBE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D4A7 second address: B4D4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5905D second address: B59070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B59070 second address: B5907A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591D9 second address: B591E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E1 second address: B591E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E7 second address: B591F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E821 second address: B5E825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E825 second address: B5E82C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6B4E6 second address: B6B4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F0738B194DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE27 second address: B6EE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE2F second address: B6EE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7494D second address: B74957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731F7 second address: B731FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731FB second address: B73203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7338E second address: B73394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73394 second address: B7339A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7339A second address: B733C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738B194E0h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F0738B194DCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B733C9 second address: B733CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B736B1 second address: B736CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0738B194E2h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73828 second address: B73839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73839 second address: B7384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0738B194D6h 0x0000000a jmp 00007F0738B194DAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7384D second address: B73851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74609 second address: B74616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74616 second address: B74625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0738AFBE56h 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74625 second address: B74630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74630 second address: B74636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74636 second address: B7463C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B59 second address: B77B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B64 second address: B77B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738B194E1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B7E second address: B77B8F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B8F second address: B77BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E2h 0x0000000f jc 00007F0738B194D6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7A5FF second address: B7A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B84E68 second address: B84E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D81C second address: B8D84F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE5Dh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jl 00007F0738AFBE6Ch 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0738AFBE64h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D84F second address: B8D857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8F3E6 second address: B8F3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20B second address: B9C20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20F second address: B9C230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC45 second address: B9DC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC49 second address: B9DC63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F0738AFBE56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7A7C second address: BB7A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BAA second address: BB7BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE60h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BC2 second address: BB7BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194DAh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87CA second address: BB87D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87D4 second address: BB87E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0738B194DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87E2 second address: BB880F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0738AFBE5Eh 0x0000000f jg 00007F0738AFBE56h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F0738AFBE63h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB880F second address: BB883D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F0738B194D6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0738B194D6h 0x00000015 jmp 00007F0738B194E9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCADF second address: BBCAE9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCD4C second address: BBCD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FA second address: 52600FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FF second address: 5260110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260110 second address: 5260114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260114 second address: 5260118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260118 second address: 526011E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526011E second address: 526012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526012D second address: 526014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE60h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E67 second address: 5240E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E6B second address: 5240E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E71 second address: 5240F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, B0h 0x00000005 pushfd 0x00000006 jmp 00007F0738B194E7h 0x0000000b sub ecx, 1BE1F5FEh 0x00000011 jmp 00007F0738B194E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0738B194E7h 0x00000022 sbb esi, 0AE8480Eh 0x00000028 jmp 00007F0738B194E9h 0x0000002d popfd 0x0000002e mov dh, al 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F0738B194DFh 0x0000003b sbb eax, 4603861Eh 0x00000041 jmp 00007F0738B194E9h 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F22 second address: 5240F64 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0738AFBE60h 0x00000008 and ecx, 48A77C18h 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ecx, 24C937CFh 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE61h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F64 second address: 5240F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F74 second address: 5240F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290067 second address: 52900C1 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DFh 0x00000012 or esi, 5744D84Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E8h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C1 second address: 52900C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C7 second address: 52900CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900CD second address: 5290106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE67h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290106 second address: 5290152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194E4h 0x00000016 sbb ecx, 67C6FE48h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220161 second address: 5220167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220167 second address: 52201B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738B194E8h 0x00000009 add ah, FFFFFF98h 0x0000000c jmp 00007F0738B194DBh 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov edx, 7F4F1B86h 0x0000001e mov dl, 6Ah 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 call 00007F0738B194DBh 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B3 second address: 52201B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B8 second address: 52201BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201BE second address: 522024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F0738AFBE5Ch 0x00000014 pushfd 0x00000015 jmp 00007F0738AFBE62h 0x0000001a adc ecx, 63D83BB8h 0x00000020 jmp 00007F0738AFBE5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 jmp 00007F0738AFBE68h 0x0000002c popad 0x0000002d push dword ptr [ebp+04h] 0x00000030 jmp 00007F0738AFBE60h 0x00000035 push dword ptr [ebp+0Ch] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007F0738AFBE5Dh 0x00000040 mov ax, 7CB7h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220298 second address: 52202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B75 second address: 5240B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B7B second address: 5240B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524080F second address: 5240813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240813 second address: 5240819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240819 second address: 524088F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 call 00007F0738AFBE64h 0x00000016 pop edi 0x00000017 call 00007F0738AFBE5Eh 0x0000001c jmp 00007F0738AFBE62h 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F0738AFBE61h 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bh, 71h 0x00000030 mov esi, 61AC774Bh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524088F second address: 5240895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240895 second address: 5240899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240760 second address: 5240766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240766 second address: 524076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524076C second address: 5240770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240770 second address: 5240798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d movsx edx, ax 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240798 second address: 52407B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52407B5 second address: 52407C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240495 second address: 5240512 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DCh 0x00000012 and ax, C4F8h 0x00000017 jmp 00007F0738B194DBh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F0738B194E8h 0x00000023 xor esi, 01D21F58h 0x00000029 jmp 00007F0738B194DBh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007F0738B194E6h 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F0738B194DAh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240512 second address: 5240518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240518 second address: 524051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524051E second address: 5240522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E0F second address: 5280E1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E1D second address: 5280E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E21 second address: 5280E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E25 second address: 5280E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E2B second address: 5280E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E31 second address: 5280E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E35 second address: 5280E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0738B194DEh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F0738B194DEh 0x0000001a and ch, FFFFFFF8h 0x0000001d jmp 00007F0738B194DBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 call 00007F0738B194E6h 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526045C second address: 5260471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0DD5EDFFh 0x00000008 mov cx, 6B1Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260471 second address: 52604AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, B8h 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F0738B194DAh 0x0000000f pop esi 0x00000010 mov dh, 67h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F0738B194DAh 0x00000019 mov ebp, esp 0x0000001b jmp 00007F0738B194E0h 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604AF second address: 52604CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604CC second address: 5260502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E7h 0x00000008 mov bx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738B194E1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260502 second address: 526052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE5Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240666 second address: 524066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524066D second address: 524067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067B second address: 524067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067F second address: 5240685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240685 second address: 52406FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DEh 0x00000013 sub ax, 6178h 0x00000018 jmp 00007F0738B194DBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0738B194E8h 0x00000024 xor ecx, 4BAFFBD8h 0x0000002a jmp 00007F0738B194DBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F0738B194E5h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260019 second address: 5260050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f push eax 0x00000010 jmp 00007F0738AFBE5Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260050 second address: 5260054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260054 second address: 526006F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526006F second address: 5260075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260075 second address: 5260079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260079 second address: 526007D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526007D second address: 5260093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260093 second address: 52600AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dl, 63h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194DBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528067A second address: 5280680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280680 second address: 5280684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280684 second address: 5280688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280688 second address: 52806A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738B194E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806A8 second address: 52806AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806AE second address: 52806B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806B2 second address: 52806FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F0738AFBE66h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738AFBE67h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806FF second address: 5280728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop esi 0x0000000f mov edx, 387DAAFAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280728 second address: 528074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528074D second address: 5280772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280772 second address: 52807B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 mov eax, dword ptr [774365FCh] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 mov ch, bl 0x00000014 popad 0x00000015 popad 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F0738AFBE62h 0x00000021 xor esi, 6FF0D558h 0x00000027 jmp 00007F0738AFBE5Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807B2 second address: 52807EC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0738B194E4h 0x0000000b movzx esi, di 0x0000000e pop edx 0x0000000f popad 0x00000010 je 00007F07AAC4C66Bh 0x00000016 pushad 0x00000017 mov cx, 0BEFh 0x0000001b mov al, 78h 0x0000001d popad 0x0000001e mov ecx, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov eax, 06B6CEDFh 0x00000028 mov cl, 79h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807EC second address: 528087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F0738AFBE61h 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 call 00007F0738AFBE5Ch 0x0000001a pushfd 0x0000001b jmp 00007F0738AFBE62h 0x00000020 and cx, 1ED8h 0x00000025 jmp 00007F0738AFBE5Bh 0x0000002a popfd 0x0000002b pop esi 0x0000002c mov di, 2C1Ch 0x00000030 popad 0x00000031 ror eax, cl 0x00000033 jmp 00007F0738AFBE5Bh 0x00000038 leave 0x00000039 jmp 00007F0738AFBE66h 0x0000003e retn 0004h 0x00000041 nop 0x00000042 mov esi, eax 0x00000044 lea eax, dword ptr [ebp-08h] 0x00000047 xor esi, dword ptr [00921014h] 0x0000004d push eax 0x0000004e push eax 0x0000004f push eax 0x00000050 lea eax, dword ptr [ebp-10h] 0x00000053 push eax 0x00000054 call 00007F073D49CCA9h 0x00000059 push FFFFFFFEh 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528087B second address: 5280881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280881 second address: 52808C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F0738AFBE60h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F073D49CCDAh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a mov ecx, 0E8C2B0Dh 0x0000001f mov ax, 6B09h 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov ecx, 362A7241h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230012 second address: 5230039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230039 second address: 5230049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230049 second address: 52300AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DFh 0x00000013 or ax, 435Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e mov di, si 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0738B194E9h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300AB second address: 52300B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300B1 second address: 52300FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0738B194E5h 0x00000011 or ax, 45A6h 0x00000016 jmp 00007F0738B194E1h 0x0000001b popfd 0x0000001c mov ecx, 776A1CD7h 0x00000021 popad 0x00000022 and esp, FFFFFFF8h 0x00000025 pushad 0x00000026 mov ax, CFCFh 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FB second address: 52300FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FF second address: 5230103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230103 second address: 5230120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0738AFBE63h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230120 second address: 5230174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194DFh 0x00000016 add ax, 339Eh 0x0000001b jmp 00007F0738B194E9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230174 second address: 52301BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F0738AFBE60h 0x00000015 push eax 0x00000016 jmp 00007F0738AFBE5Bh 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52301BE second address: 5230206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F0738B194E0h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F0738B194E0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F0738B194DCh 0x00000020 pop ecx 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230206 second address: 5230230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230230 second address: 5230248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230248 second address: 5230292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f call 00007F0738AFBE64h 0x00000014 mov dh, ch 0x00000016 pop edi 0x00000017 mov eax, 29BD4223h 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE65h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230292 second address: 5230298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230298 second address: 52302A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302A6 second address: 52302AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302AE second address: 52302B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B4 second address: 52302B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B8 second address: 52302BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302BC second address: 52302EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 jmp 00007F0738B194E0h 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 mov cl, E4h 0x00000013 mov si, di 0x00000016 popad 0x00000017 je 00007F07AAC9780Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov si, EA7Dh 0x00000024 movzx esi, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302EF second address: 523038C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 mov dh, 54h 0x00000016 popad 0x00000017 je 00007F07AAC7A16Ch 0x0000001d jmp 00007F0738AFBE62h 0x00000022 mov edx, dword ptr [esi+44h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0738AFBE5Eh 0x0000002c and eax, 5082DA18h 0x00000032 jmp 00007F0738AFBE5Bh 0x00000037 popfd 0x00000038 mov esi, 59E36DCFh 0x0000003d popad 0x0000003e or edx, dword ptr [ebp+0Ch] 0x00000041 jmp 00007F0738AFBE62h 0x00000046 test edx, 61000000h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F0738AFBE67h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523038C second address: 52303CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F07AAC977C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0738B194E8h 0x00000019 sbb cl, 00000038h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 mov ah, 73h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303CA second address: 52303DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303DF second address: 523043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007F0738B194DEh 0x00000014 jne 00007F07AAC9776Fh 0x0000001a jmp 00007F0738B194E0h 0x0000001f test bl, 00000007h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523043A second address: 5230440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230440 second address: 5230444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52208FD second address: 5220901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220901 second address: 5220907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220907 second address: 5220939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220939 second address: 5220951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220951 second address: 522098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738AFBE69h 0x00000012 and si, DC66h 0x00000017 jmp 00007F0738AFBE61h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 522098F second address: 5220995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220995 second address: 52209B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52209B9 second address: 5220A28 instructions: 0x00000000 rdtsc 0x00000002 mov si, 4349h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F0738B194E6h 0x0000000d pushfd 0x0000000e jmp 00007F0738B194E2h 0x00000013 adc ecx, 1FC830C8h 0x00000019 jmp 00007F0738B194DBh 0x0000001e popfd 0x0000001f pop eax 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov cx, 4E37h 0x0000002b pushfd 0x0000002c jmp 00007F0738B194DCh 0x00000031 adc ecx, 67CBB328h 0x00000037 jmp 00007F0738B194DBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A28 second address: 5220A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A40 second address: 5220A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194E2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A67 second address: 5220A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A79 second address: 5220A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A7D second address: 5220AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F0738AFBE67h 0x0000000f je 00007F07AAC81746h 0x00000015 jmp 00007F0738AFBE66h 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 jmp 00007F0738AFBE60h 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AD9 second address: 5220ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220ADD second address: 5220AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AFA second address: 5220B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F07AAC9ED76h 0x0000000f pushad 0x00000010 mov esi, 362DE981h 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 test byte ptr [77436968h], 00000002h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edi 0x00000023 pop ecx 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B22 second address: 5220B8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0738AFBE68h 0x00000008 pop ecx 0x00000009 mov ah, bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F07AAC816C9h 0x00000014 jmp 00007F0738AFBE5Ah 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F0738AFBE5Eh 0x00000023 sub al, 00000058h 0x00000026 jmp 00007F0738AFBE5Bh 0x0000002b popfd 0x0000002c mov si, 5E0Fh 0x00000030 popad 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0738AFBE5Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8B second address: 5220B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8F second address: 5220B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B95 second address: 5220BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov eax, 2A340FEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BA9 second address: 5220BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BAD second address: 5220BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BBB second address: 5220C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738AFBE61h 0x00000009 jmp 00007F0738AFBE5Bh 0x0000000e popfd 0x0000000f push ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F0738AFBE62h 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov ebx, eax 0x0000001e pushfd 0x0000001f jmp 00007F0738AFBE5Ah 0x00000024 or esi, 5A5E12D8h 0x0000002a jmp 00007F0738AFBE5Bh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0738AFBE64h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C2D second address: 5220C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C46 second address: 5220C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F0738AFBE5Bh 0x0000000b and esi, 6C9127AEh 0x00000011 jmp 00007F0738AFBE69h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0738AFBE5Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D21 second address: 5220D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D27 second address: 5220D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4F52 second address: AD4F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0738B194DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD518D second address: AD5197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5197 second address: AD519B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230E32 second address: 5230E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB1 second address: 5230AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB5 second address: 5230ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230ABB second address: 5230B1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738B194E0h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F0738B194E1h 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0738B194E3h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E5h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B1E second address: 5230B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B24 second address: 5230B42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B42 second address: 5230B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C0 second address: 52B07C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C6 second address: 52B07DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07DC second address: 52B07E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E3 second address: 52B07E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E9 second address: 52B0806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A07B7 second address: 52A081D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 87C4h 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pushfd 0x00000013 jmp 00007F0738AFBE5Ch 0x00000018 sub esi, 3F0BCC78h 0x0000001e jmp 00007F0738AFBE5Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 jmp 00007F0738AFBE66h 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0738AFBE67h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A081D second address: 52A0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0823 second address: 52A0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06ED second address: 52A06F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06F3 second address: 52A0725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A7B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F0738AFBE66h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0725 second address: 52A0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0737 second address: 52A073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A073B second address: 52A077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d jmp 00007F0738B194E6h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738B194E7h 0x0000001c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: 92BBEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AC5DDF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AF0D84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: ADB5AE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: B4ED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4ABBEF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 645DDF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 670D84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 65B5AE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 6CED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCB68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: CEAA4D instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AB78C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AD1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 25579950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 2557B200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: BE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: CE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7B20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AD40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8830000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3071	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Window / User API: threadDelayed 1340
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1137
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1112
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1142
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1118
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1153
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 353

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

API coverage: 1.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep time: -238119s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep time: -244122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep count: 1566 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -46980000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep count: 106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep time: -212106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep time: -230115s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep time: -224112s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 1056	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep count: 245 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep time: -245000s >= -30000s
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe TID: 1824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2120	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3428	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep count: 1340 > 30
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -40200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 6968	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3632	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep count: 1137 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep time: -2275137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep count: 1112 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep time: -2225112s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep count: 1142 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep time: -2285142s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep count: 1118 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep time: -2237118s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep count: 1153 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep time: -2307153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7492	Thread sleep count: 330 > 30
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe TID: 7500	Thread sleep time: -31000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 353 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5984	Thread sleep count: 65 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597503s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -596342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595561s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593717s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7916	Thread sleep time: -1500000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593117s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -592367s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -591496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -590804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -589711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -588630s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -584595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -583277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -581637s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -580105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -578479s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -576757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -574695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -572735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -570520s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -566034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -563979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -561729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -559187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -556505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -554105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -549013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -545765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -542766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -539749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -536749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -531088s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -527853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -524644s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -521393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -517771s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -355523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -268824s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -267590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5032	Thread sleep count: 59 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -599243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598784s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8092	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597920s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597498s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -596592s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595904s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595404s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -593648s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592085s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -590992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -589911s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -585876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -584558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -582918s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -581386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -579760s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -578038s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -575976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -574016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -571801s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -567315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -565260s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -563010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -560468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -557786s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -555386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -550294s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -547046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -544047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -541030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -538030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -532369s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -529134s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -525925s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -522674s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -519052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -343741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.000000000120A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.000000000129A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/U
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: netsh.exe, 00000006.00000003.2206953966.00000223F0F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A097E Start: 052A099B End: 052A0995

0_2_052A097E

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_00435B70 LdrInitializeThunk,

21_2_00435B70

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

26_2_001C6B6B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F5E8B mov eax, dword ptr fs:[00000030h]	0_2_008F5E8B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F9B02 mov eax, dword ptr fs:[00000030h]	0_2_008F9B02
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001CA292 mov eax, dword ptr fs:[00000030h]	26_2_001CA292
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C661B mov eax, dword ptr fs:[00000030h]	26_2_001C661B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CEDB4 GetProcessHeap,

26_2_001CEDB4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AD2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_001AD2DC
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001C6B6B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001ADCAA
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADE0F SetUnhandledExceptionFilter,	26_2_001ADE0F

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Code function: 10_2_02B0AE39 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

10_2_02B0AE39

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58E000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 590000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C4A008
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3C008
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EE7008
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CEA008
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 96C008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DCD47 cpuid

0_2_008DCD47

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\propro.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DC54A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_008DC54A

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_00195370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

26_2_00195370

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001D2467 _free,_free,_free,GetTimeZoneInformation,_free,

26_2_001D2467

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001235000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 26.2.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bUWKfj04aU.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2303988986.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2335483499.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2112311636.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2150646728.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000015.00000002.2519215288.0000000000F78000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\Binance*
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: RegAsm.exe, 0000001D.00000002.2642519741.0000000001138000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger LiveY)A%appdata%\Ledger Live

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\tUMORNtejDVyzSMTraAbFIMeGfARtlAOsbGGsGxXak\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\00c07260dc\.purple\accounts.xml	Jump to behavior

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BE044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	26_2_001BE044
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_00192500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	26_2_00192500
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	26_2_001BED3B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.181.34	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.45	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.33	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.208.16.94	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
88.218.93.76	unknown	Netherlands	18978	ENZUINC-US	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
94.232.247.248	unknown	Lithuania	208485	EKSENBILISIMTR	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
23.62.134.148	unknown	United States	16625	AKAMAI-ASUS	false
52.2.56.64	unknown	United States	14618	AMAZON-AESUS	false
185.215.113.32	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.187.204	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.34.170	unknown	United States	13335	CLOUDFLARENETUS	false
193.233.132.167	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
104.21.92.190	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.47.60	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.64.17	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
104.20.67.143	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false

Private

IP
127.0.0.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bordersoarmanusjuw.shop	true
mealplayerpreceodsju.shop	true
absentconvicsjawun.shop	true
pushjellysingeywus.shop	true
economicscreateojsu.shop	true
185.172.128.33:8970	true
wifeplasterbakewis.shop	true
suitcaseacanehalk.shop	true
entitlementappwo.shop	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUWKfj04aU.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Avira: detection malicious, Label: HEUR/AGEN.1310451
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2

Found malware configuration

Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "185.172.128.33:8970", "Bot Id": "@OLEH_PSP", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}
Source: 26.0.NewB.exe.190000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: RegAsm.exe.1424.21.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Virustotal: Detection: 82%	Perma Link
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Virustotal: Detection: 44%	Perma Link

Multi AV Scanner detection for submitted file

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bUWKfj04aU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pillowbrocccolipe.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: communicationgenerwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diskretainvigorousiw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dismissalcylinderhostw.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enthusiasimtitleow.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: worryfillvolcawoi.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cleartotalfisherwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000001D.00000002.2620030741.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LGNDR1--ketamine
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 185.172.128.19
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: S-%lu-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cd1f156d67
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Utsysc.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SCHTASKS
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /TR "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Startup
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Delete /TN "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Programs
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: %USERPROFILE%
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: http://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: https://
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /Plugins/
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &unit=
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shell32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: kernel32.dll
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProgramData\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: AVAST Software
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Kaspersky Lab
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Panda Security
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Doctor Web
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 360TotalSecurity
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Bitdefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Norton
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Sophos
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Comodo
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: WinDefender
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: 0123456789
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ------
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ?scr=1
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ComputerName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -unicode-
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: VideoID
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: ProductName
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CurrentBuild
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " /P "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: CACLS "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :R" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: :F" /E
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: &&Exit
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: rundll32.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: "taskkill /f /im "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && timeout 1 && del
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: && Exit"
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: " && ren
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: Powershell.exe
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: shutdown -s -t 0
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: /w']fC
Source: 26.0.NewB.exe.190000.0.unpack	String decryptor: vw(hF=

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57 CryptUnprotectData,		21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004162C7 CryptUnprotectData,		29_2_004162C7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Uni400uni.exe PID: 7684, type: MEMORYSTR

Uses 32bit PE files

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	21_2_004212B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	21_2_00415390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	21_2_0043B800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	21_2_00435ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	21_2_00409D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_00414F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_0041403B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then test edi, edi	21_2_0043A0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	21_2_00432140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+000001C0h]	21_2_00424240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_00415216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	21_2_0043822F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	21_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	21_2_0041B2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	21_2_00439461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h]	21_2_0041347E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	21_2_004384D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	21_2_004025E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	21_2_00416582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then not ecx	21_2_004176E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	21_2_00413722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000180h]	21_2_00411739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_0040F7CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	21_2_0041B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_0043799B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	21_2_00416A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	21_2_00417A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	21_2_00422B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	21_2_00417BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041FBB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	21_2_00416E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push edi	21_2_0040FED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	21_2_00410F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	21_2_0041EF19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi]	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	29_2_004162C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	29_2_00409BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc edi	29_2_00402CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	29_2_00411007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00424038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	29_2_004210E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	29_2_004110A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004231D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ecx	29_2_00414190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	29_2_004171A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+000000BCh]	29_2_0041B230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004122E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_004232E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	29_2_004183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	29_2_0042E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_004223FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	29_2_00423381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	29_2_00414397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	29_2_0042342A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	29_2_00422328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	29_2_00402620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	29_2_0041D634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+74h]	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	29_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_004226A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_00421768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edx	29_2_0041D878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	29_2_0041F94E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	29_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esi+000000D4h]	29_2_00420A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	29_2_0041DBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	29_2_00433A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	29_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	29_2_0041FFD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	29_2_00421FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	29_2_00423FF3

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 185.172.128.33:8970

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: vFvvln76msVyiTRvQQMSlc4y.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 6A6tSzDSK6P9F6s9kkiOZkgA.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: a3XC8JYF0aYXxIZPljcBh92I.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0ZzXdtKbBOkMTYdVV1HNUsqT.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: xIvgySaF2JVAOfOVBY400p1d.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: gxNMHUmIRRsTpoh2kGfIr9lW.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IA1JiyWIGEvHCZKTDOlZNrXb.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: YtkUkgpbmZlbSuZT81owPAOw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: yybBRlcB659iEk7Vesfqc6Zw.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: SlwT2Dhb0jcRK2apeSa3FdHE.exe.45.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: swXqwxxcUE7SVCRYdUBHf3nm.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: IKulK0lzJvII432wpHMkGWRw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: domCqD7LBg1Q0KxGLvuFe0Aj.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uWDQa01moDg0YUv8UXTjuXuR.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: dkk7cRVuWpprbxEbDlw69GrM.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: h9MmfvkW2XknV10h725GOqVL.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: UvmCGtz1aYTjhcoAhykwCuQw.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: CCF32f9je00j8IZrr0Ff4c4t.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: EqvNTTWJsgdaHBZM2vNGyoMV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0zuHPkqadZGFhsedqfFjHrEV.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: oxW5doxruDrLfkxekfdC42S3.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: RvrkjxBwedY81Y68Ne47TzMs.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Stj0rnzdLizcr79amRyA4wnp.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 1Cki827fF40ubJ4RMKyP3Elr.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 33tIGBzVuCMQl3Wc6IvtNEjP.exe.51.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: v05bbHszTdSghZlrnH5jWCvs.exe.51.dr

Yara detected Generic Downloader

Source: Yara match	File source: 39.2.file300un.exe.27ab92961f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.25500086af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Uni400uni.exe.255000840b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.file300un.exe.27ab92937b8.2.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.172.128.90 185.172.128.90

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008CC990 recv,recv,recv,recv,

0_2_008CC990

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: #www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: http://www.opera.com0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 0000001D.00000002.2670127283.0000000001375000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 0000001D.00000002.3031292972.0000000003570000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiA
Source: RegAsm.exe, 0000001D.00000002.3031292972.000000000357A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiW
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30D9F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DAD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, propro.exe, 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, Traffic.exe, 0000000F.00000002.2321334601.0000000002648000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2650906169.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/api
Source: RegAsm.exe, 00000015.00000002.2650906169.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop/apip
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economicscreateojsu.shop:443/api)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: svchost.exe, 00000013.00000003.2285131926.0000025E5364E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.2285131926.0000025E535F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io)
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/education.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://gamemaker.io/en/get.
Source: powershell.exe, 00000008.00000002.2329069895.000001A30C6D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://help.opera.com/latest/
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/
Source: NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/45c777cd634b90d85bd90992c72a11ec/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/AV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/IV
Source: NewB.exe, 00000017.00000003.2353346772.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/a638b58.exe
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/iV
Source: NewB.exe, 00000017.00000003.2332265607.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 00000017.00000003.2332141365.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/qV
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/eula/computers
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/privacy.
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://legal.opera.com/terms.
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2329069895.000001A30DD83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://opera.com/privacy
Source: NewB.exe, 00000017.00000003.2332224399.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parrotflight.com/4767d2e713f2021e8fe856e3ea638b58.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://policies.google.com/terms;
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://sourcecode.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://telegram.org/tos/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://twitter.com/en/tos;
Source: ISetup8.exe, 00000023.00000003.3016446842.0000000005C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com..
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/download/
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.opera.com/privacy
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	String found in binary or memory: https://www.whatsapp.com/legal;
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

21_2_0042DDE0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

29_2_0042B190

Installs a raw input device (often for capturing keystrokes)

Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7d0672c4-d

Drops certificate files (DER)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBCE6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3775.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp3776.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File created: C:\Users\user\AppData\Local\Temp\TmpBD35.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown

.NET source code contains very large array initializations

Source: gold[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: gold.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: swiiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472

PE file contains section with special chars

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ACC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	26_2_001ACC87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004371C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004322C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004372F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00438470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004344DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004376C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004166A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004177E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00415B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00433CF7 NtOpenSection,	29_2_00433CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00434D0A NtMapViewOfSection,	29_2_00434D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00436FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004180C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00413145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00430450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004136F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041BA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00418B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_0041DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00432DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00416E36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	29_2_00423FF3

Creates files inside the system directory

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Windows\Tasks\explorgu.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_009024D0	0_2_009024D0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008C60E0	0_2_008C60E0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906809	0_2_00906809
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_0090707B	0_2_0090707B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00902968	0_2_00902968
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00907EB0	0_2_00907EB0
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F7780	0_2_008F7780
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00906F5B	0_2_00906F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448CCAB	8_2_00007FFD3448CCAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34489EE0	8_2_00007FFD34489EE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344907A0	8_2_00007FFD344907A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448C99D	8_2_00007FFD3448C99D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34492171	8_2_00007FFD34492171
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EADC	8_2_00007FFD3448EADC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448EB21	8_2_00007FFD3448EB21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3448A3FA	8_2_00007FFD3448A3FA
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C38	10_2_00FC0C38
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC0C28	10_2_00FC0C28
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC09B0	10_2_00FC09B0
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Code function: 10_2_00FC099F	10_2_00FC099F
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Code function: 17_2_00B70A2F	17_2_00B70A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00425183	21_2_00425183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421670	21_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00415B57	21_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404C40	21_2_00404C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00421F80	21_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00410060	21_2_00410060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401000	21_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041D128	21_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B130	21_2_0043B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00408250	21_2_00408250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00404260	21_2_00404260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403370	21_2_00403370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043B470	21_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00436480	21_2_00436480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406610	21_2_00406610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_004216CE	21_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00401740	21_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00403770	21_2_00403770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00405890	21_2_00405890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00406C20	21_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0041DD72	21_2_0041DD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426E67	21_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426F29	21_2_00426F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00426FA0	21_2_00426FA0
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D30F8	26_2_001D30F8
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B6283	26_2_001B6283
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D8640	26_2_001D8640
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B16F3	26_2_001B16F3
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D76EB	26_2_001D76EB
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D780B	26_2_001D780B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D2C60	26_2_001D2C60
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B3EE2	26_2_001B3EE2
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C7F10	26_2_001C7F10
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001B0F04	26_2_001B0F04
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001D6F99	26_2_001D6F99
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Code function: 27_2_00D20E8F	27_2_00D20E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00404AB0	29_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041EFD0	29_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0042404C	29_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401000	29_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004040E0	29_2_004040E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004301F0	29_2_004301F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004051B0	29_2_004051B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403350	29_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A300	29_2_0040A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00411410	29_2_00411410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004064F0	29_2_004064F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00403740	29_2_00403740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00401740	29_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00405700	29_2_00405700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004379E0	29_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406BF0	29_2_00406BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00420BFA	29_2_00420BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00437D70	29_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041DDB7	29_2_0041DDB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423F4D	29_2_00423F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00407FE0	29_2_00407FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00423FF3	29_2_00423FF3

Enables security privileges

Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408C90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409160 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408A40 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004092E0 appears 160 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001AE080 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001A8580 appears 137 times
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: String function: 001ADA42 appears 83 times

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564

PE file contains executable resources (Code or Archives)

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: alexxxxxxxx.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Uses 32bit PE files

Source: bUWKfj04aU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12

Source: alexxxxxxxx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: alexxxxxxxx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUWKfj04aU.exe	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: bUWKfj04aU.exe	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084
Source: explorgu.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9975034435261708
Source: explorgu.exe.0.dr	Static PE information: Section: icxmwjzd ZLIB complexity 0.9942756751306084

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@170/306@0/30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_0042A936 CoCreateInstance,

21_2_0042A936

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

File created: C:\Users\user\AppData\Roaming\006700e5a2ab05

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7684
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5564
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Users\user\AppData\Local\Temp\00c07260dc

Jump to behavior

Source: Yara match	File source: 00000023.00000003.3016446842.0000000005841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5ps.1.exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

Source: bUWKfj04aU.exe	ReversingLabs: Detection: 63%
Source: bUWKfj04aU.exe	Virustotal: Detection: 65%

Source: bUWKfj04aU.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File read: C:\Users\user\Desktop\bUWKfj04aU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bUWKfj04aU.exe "C:\Users\user\Desktop\bUWKfj04aU.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5564 -ip 5564
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 920
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 500 -p 7684 -ip 7684
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7684 -s 1076
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dlnashext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wpdshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: bUWKfj04aU.exe

Static file information: File size 1858560 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: bUWKfj04aU.exe

Static PE information: Raw size of icxmwjzd is bigger than: 0x100000 < 0x196c00

Source:	Binary string: C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: 2C:\pilace\bemelejedar-xuyu.pdb source: 4767d2e713f2021e8fe856e3ea638b58.exe, 00000021.00000000.2365060303.000000000041C000.00000002.00000001.01000000.0000001A.sdmp, fNXuIJPtZ25Cf8AC2M7nLhvu.exe.51.dr, aCC9Y3uZiPILOE7CPQBm3dqe.exe.51.dr
Source:	Binary string: `C:\paz\81\soseleyayaj\kud.pdb source: ISetup8.exe, 00000023.00000003.2889135896.0000000004A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 0000001B.00000002.2620190286.0000000002853000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb) source: alexxxxxxxx.exe, 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr
Source:	Binary string: C:\hisi.pdb source: ISetup8.exe, 00000023.00000000.2398337251.000000000041C000.00000002.00000001.01000000.0000001C.sdmp, ISetup8.exe, 00000023.00000003.3016845539.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, A47mXAfrsBDpojX2UlRMyVjb.exe.45.dr
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Unpacked PE file: 0.2.bUWKfj04aU.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW; vs :ER;.rsrc:W;.idata :W; :EW;icxmwjzd:EW;luxgzuin:EW;

Binary contains a suspicious time stamp

Source: gold[1].exe.2.dr

Static PE information: 0x88C65EDB [Fri Sep 19 01:09:47 2042 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: luxgzuin

PE file contains an invalid checksum

Source: clip64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii.exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: gold.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: alexxxxxxxx.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: cred64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: gold[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x5b283
Source: NewB.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: cred64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: clip64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: swiiiii[1].exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece

PE file contains sections with non-standard names

Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: .idata
Source: bUWKfj04aU.exe	Static PE information: section name:
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd
Source: bUWKfj04aU.exe	Static PE information: section name: luxgzuin
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd
Source: explorgu.exe.0.dr	Static PE information: section name: luxgzuin
Source: cred64[1].dll.2.dr	Static PE information: section name: _RDATA
Source: cred64.dll.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61000 push ecx; mov dword ptr [esp], 1396ED17h	0_2_00D61010
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 405F94C5h; mov dword ptr [esp], edx	0_2_00D6109F
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 325606AEh; mov dword ptr [esp], esi	0_2_00D610D3
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push edx; mov dword ptr [esp], 6F7BB987h	0_2_00D610E1
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D61039 push 665B66C3h; mov dword ptr [esp], esi	0_2_00D61174
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push 03BCB4D5h; mov dword ptr [esp], esp	0_2_00D611A5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_00D6118A push esi; mov dword ptr [esp], eax	0_2_00D611C5
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008DD2A1 push ecx; ret	0_2_008DD29F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344800BD pushad ; iretd	8_2_00007FFD344800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043F5AC push esi; retn 0048h	21_2_0043F5AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC64 push eax; iretd	21_2_0043FC65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_00440C13 push ecx; ret	21_2_00440C17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FC98 push AA77266Eh; iretd	21_2_0043FC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 21_2_0043FD86 pushfd ; ret	21_2_0043FD87
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AE0C6 push ecx; ret	26_2_001AE0D9
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001A3440 push ss; ret	26_2_001A3447
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADA1C push ecx; ret	26_2_001ADA2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043E05C push ss; retf	29_2_0043E099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0043CE48 push es; retn 0043h	29_2_0043CE49

Source: bUWKfj04aU.exe	Static PE information: section name: entropy: 7.980453073658566
Source: bUWKfj04aU.exe	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: explorgu.exe.0.dr	Static PE information: section name: entropy: 7.980453073658566
Source: explorgu.exe.0.dr	Static PE information: section name: icxmwjzd entropy: 7.953998794627234
Source: alexxxxxxxx[1].exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: alexxxxxxxx.exe.2.dr	Static PE information: section name: .text entropy: 7.940192854489615
Source: gold[1].exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: gold.exe.2.dr	Static PE information: section name: .text entropy: 7.996501459948458
Source: swiiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ISetup8[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FirstZ[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Uni400uni[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe

File created: C:\ProgramData\wikombernizc\reakuqnanrkn.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F

Creates job files (autostart)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

26_2_001AC858

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7672, type: MEMORYSTR

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 00000027.00000002.3456932485.0000027AB9251000.00000004.00000800.00020000.00000000.sdmp, Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87A second address: A8F87E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F87E second address: A8F891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194DDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A8F891 second address: A8F8D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738AFBE67h 0x0000000e jmp 00007F0738AFBE61h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0657 second address: AA066A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0738B194DBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066A second address: AA066F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA066F second address: AA0677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA08EF second address: AA0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A8C second address: AA0A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A94 second address: AA0A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0A9B second address: AA0AAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0738B194E2h 0x00000008 jbe 00007F0738B194D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0BFC second address: AA0C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C00 second address: AA0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C0E second address: AA0C46 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0738AFBE66h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE62h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA0C46 second address: AA0C5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007F0738B194E4h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3751 second address: AA3755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3755 second address: AA3793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F0738B194D8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, dword ptr [ebp+122D3875h] 0x0000002c call 00007F0738B194D9h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3793 second address: AA3797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3797 second address: AA379D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA379D second address: AA37A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37A3 second address: AA37D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F0738B194DDh 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F0738B194E3h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37D9 second address: AA37DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37DD second address: AA37E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA37E1 second address: AA386E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jnc 00007F0738AFBE60h 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F0738AFBE58h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jnc 00007F0738AFBE62h 0x00000038 push 00000003h 0x0000003a sub dword ptr [ebp+122D2C25h], esi 0x00000040 push 00000000h 0x00000042 pushad 0x00000043 and dx, 1700h 0x00000048 mov dword ptr [ebp+122D2ADBh], eax 0x0000004e popad 0x0000004f push 00000003h 0x00000051 movzx ecx, bx 0x00000054 call 00007F0738AFBE59h 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c jmp 00007F0738AFBE60h 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA386E second address: AA38A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0738B194EAh 0x00000008 jmp 00007F0738B194E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0738B194E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA38A6 second address: AA38C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA39D0 second address: AA3A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F0738B194D6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f push edi 0x00000010 mov dword ptr [ebp+122D2B03h], edi 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 add edx, 6EC11199h 0x0000001f push EF153085h 0x00000024 jmp 00007F0738B194DBh 0x00000029 add dword ptr [esp], 10EACFFBh 0x00000030 mov dword ptr [ebp+122D2D56h], eax 0x00000036 push 00000003h 0x00000038 sub dword ptr [ebp+122D2AD7h], esi 0x0000003e mov esi, ebx 0x00000040 push 00000000h 0x00000042 add dword ptr [ebp+122D29B2h], ebx 0x00000048 push 00000003h 0x0000004a mov edx, dword ptr [ebp+122D2D6Dh] 0x00000050 call 00007F0738B194D9h 0x00000055 jmp 00007F0738B194E0h 0x0000005a push eax 0x0000005b jmp 00007F0738B194DCh 0x00000060 mov eax, dword ptr [esp+04h] 0x00000064 pushad 0x00000065 pushad 0x00000066 jc 00007F0738B194D6h 0x0000006c jmp 00007F0738B194E0h 0x00000071 popad 0x00000072 push ebx 0x00000073 pushad 0x00000074 popad 0x00000075 pop ebx 0x00000076 popad 0x00000077 mov eax, dword ptr [eax] 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jng 00007F0738B194D6h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B2E second address: AA3B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3B46 second address: AA3C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 movzx ecx, si 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2C6Ah], ecx 0x0000001b push 3F7F2421h 0x00000020 jmp 00007F0738B194DDh 0x00000025 xor dword ptr [esp], 3F7F24A1h 0x0000002c call 00007F0738B194E0h 0x00000031 mov esi, 5C752D2Bh 0x00000036 pop ecx 0x00000037 push 00000003h 0x00000039 call 00007F0738B194E7h 0x0000003e mov dword ptr [ebp+12447864h], ebx 0x00000044 pop edi 0x00000045 push 00000000h 0x00000047 mov esi, dword ptr [ebp+122D39D1h] 0x0000004d push 00000003h 0x0000004f jc 00007F0738B194DBh 0x00000055 sub dx, 0F20h 0x0000005a and esi, 630DD230h 0x00000060 call 00007F0738B194D9h 0x00000065 jmp 00007F0738B194E0h 0x0000006a push eax 0x0000006b jmp 00007F0738B194E3h 0x00000070 mov eax, dword ptr [esp+04h] 0x00000074 push eax 0x00000075 jns 00007F0738B194DCh 0x0000007b pop eax 0x0000007c mov eax, dword ptr [eax] 0x0000007e push edi 0x0000007f jnp 00007F0738B194ECh 0x00000085 jmp 00007F0738B194E6h 0x0000008a pop edi 0x0000008b mov dword ptr [esp+04h], eax 0x0000008f pushad 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C3E second address: AA3C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AA3C56 second address: AA3CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0738B194D8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2BA4h], esi 0x00000028 push edi 0x00000029 movsx edi, bx 0x0000002c pop ecx 0x0000002d lea ebx, dword ptr [ebp+1244B697h] 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F0738B194D8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d adc cx, DEA1h 0x00000052 jg 00007F0738B194DCh 0x00000058 mov dword ptr [ebp+122D2A96h], ecx 0x0000005e xchg eax, ebx 0x0000005f je 00007F0738B194E4h 0x00000065 push edi 0x00000066 jmp 00007F0738B194DCh 0x0000006b pop edi 0x0000006c push eax 0x0000006d jl 00007F0738B194E2h 0x00000073 js 00007F0738B194DCh 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4175 second address: AC4182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4182 second address: AC418A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC418A second address: AC418F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC21F4 second address: AC2201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jc 00007F0738B194D6h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2308 second address: AC230E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC230E second address: AC2312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A40 second address: AC2A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A45 second address: AC2A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A4B second address: AC2A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2A51 second address: AC2A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D3D second address: AC2D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2D43 second address: AC2D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2EA5 second address: AC2EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF3 second address: AC2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC2FF9 second address: AC3011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0738AFBE5Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC3011 second address: AC3016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC315C second address: AC319B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0738AFBE5Dh 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007F0738AFBE56h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007F0738AFBE56h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0738AFBE61h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A92E28 second address: A92E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 jns 00007F0738B194D6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4001 second address: AC4033 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0738AFBE64h 0x00000012 jmp 00007F0738AFBE5Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC4033 second address: AC4038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DDB second address: AC6DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DE0 second address: AC6DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEA second address: AC6DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6DEE second address: AC6E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F0738B194E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0738B194E2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6E22 second address: AC6E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72B0 second address: AC72D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC72D5 second address: AC72F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C0D second address: AC5C22 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0738B194D8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC5C22 second address: AC5C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC6383 second address: AC638E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC7676 second address: AC769C instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0738AFBE62h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC769C second address: AC76B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AC76B0 second address: AC76BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A96408 second address: A9642B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE2 second address: ACECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECE8 second address: ACECED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACECED second address: ACED14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE65h 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0738AFBE58h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE331 second address: ACE34A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE34A second address: ACE352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE4A5 second address: ACE4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE94F second address: ACE955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE955 second address: ACE959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE959 second address: ACE986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE63h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE986 second address: ACE98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE98A second address: ACE994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE994 second address: ACE99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0738B194D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACE99E second address: ACE9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB60 second address: ACEB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB64 second address: ACEB70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB70 second address: ACEB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ACEB74 second address: ACEB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD1F39 second address: AD1F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2001 second address: AD2006 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2006 second address: AD203C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0738B194E6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jng 00007F0738B194D8h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD203C second address: AD2045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2045 second address: AD2049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2049 second address: AD20C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F0738AFBE63h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ecx 0x00000017 jnp 00007F0738AFBE6Ah 0x0000001d pop ecx 0x0000001e pop eax 0x0000001f sub esi, 384566D2h 0x00000025 call 00007F0738AFBE59h 0x0000002a jmp 00007F0738AFBE66h 0x0000002f push eax 0x00000030 jc 00007F0738AFBE5Ah 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a pushad 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20C2 second address: AD20CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20CC second address: AD20DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD20DA second address: AD20E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD246B second address: AD2470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2470 second address: AD247F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD247F second address: AD2483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2483 second address: AD2487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD2638 second address: AD2642 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E4 second address: AD30E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD30E8 second address: AD30EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD335D second address: AD3363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3363 second address: AD3384 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F0738AFBE56h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 jmp 00007F0738AFBE5Ah 0x00000015 pop edi 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD3384 second address: AD338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0738B194D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD338F second address: AD3395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4337 second address: AD433B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD416E second address: AD418D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD418D second address: AD4192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD531C second address: AD5326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5326 second address: AD532A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD532A second address: AD5388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1244BF8Fh], esi 0x0000000e sub si, 1085h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F0738AFBE58h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+1244D3E9h], ecx 0x00000035 jmp 00007F0738AFBE66h 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+1244D405h], ebx 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5388 second address: AD538C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5C59 second address: AD5C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD6A08 second address: AD6A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADA20F second address: ADA215 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE95C second address: ADE9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push edi 0x0000000a sub edi, dword ptr [ebp+122DB47Bh] 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0738B194D8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d and edi, dword ptr [ebp+122D384Dh] 0x00000033 push 00000000h 0x00000035 mov edi, eax 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jne 00007F0738B194D6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADE9A8 second address: ADE9B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAE4 second address: ADEAF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEAF7 second address: ADEB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADEB01 second address: ADEB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0995 second address: AE0A0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D3A75h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F0738AFBE58h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 movsx ebx, dx 0x0000003a mov eax, dword ptr [ebp+122D1355h] 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007F0738AFBE58h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a movsx ebx, di 0x0000005d push FFFFFFFFh 0x0000005f push eax 0x00000060 clc 0x00000061 pop ebx 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 push edx 0x00000066 push edi 0x00000067 pop edi 0x00000068 pop edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE0A0A second address: AE0A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A18 second address: AE1A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007F0738AFBE5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1A25 second address: AE1AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0738B194D8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d movzx ebx, cx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F0738B194D8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 mov edi, 691D45B0h 0x00000056 mov eax, dword ptr [ebp+122D02F5h] 0x0000005c push FFFFFFFFh 0x0000005e sub dword ptr [ebp+122D2D04h], edi 0x00000064 nop 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F0738B194DFh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE1AC2 second address: AE1AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE62h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3797 second address: AE37A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37A1 second address: AE37B3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B3 second address: AE37B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE37B7 second address: AE37C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47AE second address: AE47B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398A second address: AE398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47B9 second address: AE47BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE398E second address: AE3994 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE47BD second address: AE4846 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F0738B194D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F0738B194D8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007F0738B194D8h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e jl 00007F0738B194E3h 0x00000064 jmp 00007F0738B194DDh 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jnc 00007F0738B194D6h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE3994 second address: AE3999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE4846 second address: AE484C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE484C second address: AE4852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5903 second address: AE5964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E3h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e add di, 4594h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F0738B194D8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f movzx ebx, si 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov dword ptr [ebp+1244D249h], edx 0x0000003b mov ah, A7h 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 jbe 00007F0738B194DCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5964 second address: AE5983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F0738AFBE63h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE5983 second address: AE598C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B07 second address: AE9B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F0738AFBE58h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 movsx edi, cx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F0738AFBE58h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov bl, 3Eh 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9B5E second address: AE9B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0738B194D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAA43 second address: AEAA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B69 second address: AE6B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE6B6D second address: AE6B8F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 pop edi 0x00000014 jc 00007F0738AFBE5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AE9D79 second address: AE9D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F0738B194DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAD0 second address: AEBAED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAED second address: AEBAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC85 second address: AEAC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBAF1 second address: AEBB09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jne 00007F0738B194D6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEAC9C second address: AEACAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB09 second address: AEBB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E3h 0x00000008 jmp 00007F0738B194E8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0738B194D8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b add dword ptr [ebp+122D29E3h], edi 0x00000031 push 00000000h 0x00000033 clc 0x00000034 push 00000000h 0x00000036 mov ebx, dword ptr [ebp+1244C9CBh] 0x0000003c xchg eax, esi 0x0000003d jmp 00007F0738B194E1h 0x00000042 push eax 0x00000043 pushad 0x00000044 jng 00007F0738B194DCh 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEBB8E second address: AEBB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AEDEB4 second address: AEDEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F0738B194E4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF0CFC second address: AF0D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F0738AFBE5Dh 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FD4 second address: AF5FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF5FF2 second address: AF6010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0738AFBE68h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6010 second address: AF6014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF6014 second address: AF601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF56C0 second address: AF56D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E0h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AF939D second address: AF93A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EA2 second address: A97EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EAF second address: A97EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97EB3 second address: A97ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F0738B194E7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A97ED2 second address: A97EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF5F6 second address: AFF610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E0h 0x00000009 jnl 00007F0738B194D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF610 second address: AFF61E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0738AFBE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C2 second address: AFF8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8C6 second address: AFF8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFF8CD second address: AFF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194DCh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA46 second address: AFFA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFA4C second address: AFFA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFD9A second address: AFFDBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F0738AFBE56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AFFF5A second address: AFFF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B05AA9 second address: B05AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B047C1 second address: B04804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0738B194D6h 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 jo 00007F0738B194D6h 0x00000016 pop esi 0x00000017 push esi 0x00000018 jmp 00007F0738B194DDh 0x0000001d jmp 00007F0738B194E9h 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04804 second address: B04818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04818 second address: B0481C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04967 second address: B04989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE69h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B04989 second address: B049AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0738B194E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F0738B194D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044DE second address: B044E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B044E2 second address: B044F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jc 00007F0738B194D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E2 second address: B051E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051E7 second address: B051FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0738B194D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B051FA second address: B05238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0738AFBE64h 0x00000010 jns 00007F0738AFBE56h 0x00000016 popad 0x00000017 js 00007F0738AFBE68h 0x0000001d jmp 00007F0738AFBE62h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: A913E8 second address: A913FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jg 00007F0738B194D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA05 second address: ADBA1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F0738AFBE56h 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA1C second address: ADBA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jo 00007F0738B194E5h 0x00000010 pushad 0x00000011 jmp 00007F0738B194DBh 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D2C6Ah], esi 0x00000020 push BE79C39Fh 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBA4B second address: ADBA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE67h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB1 second address: ADBCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBCB5 second address: ADBCCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF3 second address: ADBEF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADBEF9 second address: ADBF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F0738AFBE58h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a ja 00007F0738AFBE59h 0x00000030 push 00000004h 0x00000032 adc ecx, 490CB917h 0x00000038 nop 0x00000039 push ebx 0x0000003a jmp 00007F0738AFBE5Ah 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jo 00007F0738AFBE5Ch 0x00000049 js 00007F0738AFBE56h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31A second address: ADC31F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC31F second address: ADC331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007F0738AFBE64h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC331 second address: ADC335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC335 second address: ADC3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0738AFBE58h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov dword ptr [ebp+1244868Bh], edi 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0738AFBE58h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov cl, 24h 0x00000045 nop 0x00000046 jmp 00007F0738AFBE69h 0x0000004b push eax 0x0000004c pushad 0x0000004d jno 00007F0738AFBE5Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B0 second address: ADC3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC3B4 second address: ADC3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC794 second address: ADC798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC798 second address: ADC7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jng 00007F0738AFBE58h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jnl 00007F0738AFBE58h 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a pop ecx 0x0000001b lea eax, dword ptr [ebp+124830FBh] 0x00000021 or dword ptr [ebp+1244D0A1h], eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jo 00007F0738AFBE56h 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC7CC second address: ADC7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B5 second address: B0F1B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F1B9 second address: B0F1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F2F6 second address: B0F32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0738AFBE61h 0x0000000b popad 0x0000000c jmp 00007F0738AFBE67h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007F0738AFBE56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F32F second address: B0F34A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F0738B194E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F34A second address: B0F366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0738AFBE5Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0F366 second address: B0F38F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F0738B194D6h 0x00000011 jmp 00007F0738B194E4h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B0FBE0 second address: B0FC19 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0738AFBE56h 0x00000008 jmp 00007F0738AFBE64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0738AFBE68h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11693 second address: B11699 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B11699 second address: B1169F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16417 second address: B1641C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1641C second address: B16436 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0738AFBE6Ch 0x00000008 jmp 00007F0738AFBE60h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AE8 second address: B16AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16AEC second address: B16B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738AFBE5Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16EEA second address: B16F16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E6h 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F0738B194D6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F16 second address: B16F26 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B16F26 second address: B16F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B17084 second address: B1708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708A second address: B1708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1708F second address: B170AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE67h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B170AB second address: B170F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F0738B194E1h 0x0000000b jmp 00007F0738B194E3h 0x00000010 jmp 00007F0738B194E8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172B1 second address: B172CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738AFBE69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B172CF second address: B172D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBDB second address: B1BBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE2 second address: B1BBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1BBE8 second address: B1BBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B4FA second address: B1B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B506 second address: B1B50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1B7A6 second address: B1B7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DF6E second address: B1DF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB37 second address: B1DB3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B1DB3D second address: B1DB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738AFBE5Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23688 second address: B2368D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2368D second address: B23699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0738AFBE56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: ADC18B second address: ADC190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C54 second address: B23C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jbe 00007F0738AFBE79h 0x0000000f jmp 00007F0738AFBE62h 0x00000014 jmp 00007F0738AFBE61h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B23C86 second address: B23CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E5h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26E7B second address: B26EAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0738AFBE69h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EAE second address: B26EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EB5 second address: B26EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B26EBD second address: B26EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27047 second address: B27050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27050 second address: B27054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27054 second address: B27058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B27058 second address: B2706A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0738B194D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2706A second address: B2706E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A7D7 second address: B2A81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007F0738B194D6h 0x0000000e jmp 00007F0738B194E8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 jmp 00007F0738B194E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2A81C second address: B2A825 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAD2 second address: B2AAE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE0 second address: B2AAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AAE4 second address: B2AAEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC81 second address: B2AC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AC8B second address: B2ACA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ACA0 second address: B2ACC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0738AFBE56h 0x0000000e jmp 00007F0738AFBE62h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2ADFB second address: B2ADFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF48 second address: B2AF4E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF4E second address: B2AF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0738B194E5h 0x0000000b pushad 0x0000000c jnp 00007F0738B194D6h 0x00000012 jnp 00007F0738B194D6h 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B2AF7A second address: B2AF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F0738AFBE60h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B32A19 second address: B32A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3335E second address: B33372 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0738AFBE56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F0738AFBE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33372 second address: B33390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0738B194E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33390 second address: B33394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B336CA second address: B336D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F60 second address: B33F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F66 second address: B33F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B33F6A second address: B33F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B345EF second address: B34626 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738B194E5h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0738B194E7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B34626 second address: B3462A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3462A second address: B3463E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738B194D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F0738B194DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386C2 second address: B386CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B386CA second address: B386E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0738B194E0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37939 second address: B37943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37943 second address: B3794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B3794D second address: B3795D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE5Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA5 second address: B37AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37AA9 second address: B37AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E98 second address: B37E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37E9E second address: B37EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EBB second address: B37EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738B194D6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B37EC6 second address: B37ED0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400DD second address: B400ED instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194D6h 0x00000008 jp 00007F0738B194D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B400ED second address: B40102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F0738AFBE56h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47D9D second address: B47DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B47DA2 second address: B47DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46036 second address: B46075 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738B194ECh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E4h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F0738B194D6h 0x0000001a jmp 00007F0738B194E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46075 second address: B460A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738AFBE5Fh 0x0000000e push edi 0x0000000f jg 00007F0738AFBE56h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463C9 second address: B463CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463CD second address: B463E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B463E5 second address: B46403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0738B194D8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46403 second address: B4640A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4651C second address: B46536 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0738B194DCh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F0738B194D6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46816 second address: B4681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4681C second address: B46820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B46820 second address: B46824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D767 second address: B4D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D76B second address: B4D783 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0738AFBE56h 0x00000008 jc 00007F0738AFBE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B4D4A7 second address: B4D4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5905D second address: B59070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B59070 second address: B5907A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0738B194D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591D9 second address: B591E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E1 second address: B591E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B591E7 second address: B591F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E821 second address: B5E825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B5E825 second address: B5E82C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6B4E6 second address: B6B4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F0738B194DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE27 second address: B6EE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B6EE2F second address: B6EE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7494D second address: B74957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731F7 second address: B731FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B731FB second address: B73203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7338E second address: B73394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73394 second address: B7339A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7339A second address: B733C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0738B194E0h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F0738B194DCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B733C9 second address: B733CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B736B1 second address: B736CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0738B194E2h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73828 second address: B73839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738AFBE5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B73839 second address: B7384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0738B194D6h 0x0000000a jmp 00007F0738B194DAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7384D second address: B73851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74609 second address: B74616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0738B194D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74616 second address: B74625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0738AFBE56h 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74625 second address: B74630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74630 second address: B74636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B74636 second address: B7463C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B59 second address: B77B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0738AFBE56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B64 second address: B77B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0738B194E1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B7E second address: B77B8F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0738AFBE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B77B8F second address: B77BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0738B194E2h 0x0000000f jc 00007F0738B194D6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B7A5FF second address: B7A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B84E68 second address: B84E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D81C second address: B8D84F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0738AFBE5Dh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jl 00007F0738AFBE6Ch 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0738AFBE64h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8D84F second address: B8D857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B8F3E6 second address: B8F3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20B second address: B9C20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9C20F second address: B9C230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC45 second address: B9DC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: B9DC49 second address: B9DC63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F0738AFBE56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7A7C second address: BB7A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BAA second address: BB7BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0738AFBE60h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB7BC2 second address: BB7BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0738B194DAh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87CA second address: BB87D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87D4 second address: BB87E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0738B194DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB87E2 second address: BB880F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0738AFBE5Eh 0x0000000f jg 00007F0738AFBE56h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F0738AFBE63h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BB880F second address: BB883D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F0738B194D6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0738B194D6h 0x00000015 jmp 00007F0738B194E9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCADF second address: BBCAE9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0738AFBE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: BBCD4C second address: BBCD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FA second address: 52600FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52600FF second address: 5260110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260110 second address: 5260114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260114 second address: 5260118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260118 second address: 526011E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526011E second address: 526012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526012D second address: 526014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738AFBE60h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E67 second address: 5240E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E6B second address: 5240E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240E71 second address: 5240F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, B0h 0x00000005 pushfd 0x00000006 jmp 00007F0738B194E7h 0x0000000b sub ecx, 1BE1F5FEh 0x00000011 jmp 00007F0738B194E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0738B194E7h 0x00000022 sbb esi, 0AE8480Eh 0x00000028 jmp 00007F0738B194E9h 0x0000002d popfd 0x0000002e mov dh, al 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F0738B194DFh 0x0000003b sbb eax, 4603861Eh 0x00000041 jmp 00007F0738B194E9h 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F22 second address: 5240F64 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0738AFBE60h 0x00000008 and ecx, 48A77C18h 0x0000000e jmp 00007F0738AFBE5Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ecx, 24C937CFh 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE61h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F64 second address: 5240F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240F74 second address: 5240F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290067 second address: 52900C1 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DFh 0x00000012 or esi, 5744D84Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E8h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C1 second address: 52900C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900C7 second address: 52900CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52900CD second address: 5290106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE67h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5290106 second address: 5290152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194E4h 0x00000016 sbb ecx, 67C6FE48h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220161 second address: 5220167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220167 second address: 52201B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738B194E8h 0x00000009 add ah, FFFFFF98h 0x0000000c jmp 00007F0738B194DBh 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov edx, 7F4F1B86h 0x0000001e mov dl, 6Ah 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 call 00007F0738B194DBh 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B3 second address: 52201B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201B8 second address: 52201BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52201BE second address: 522024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F0738AFBE5Ch 0x00000014 pushfd 0x00000015 jmp 00007F0738AFBE62h 0x0000001a adc ecx, 63D83BB8h 0x00000020 jmp 00007F0738AFBE5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 jmp 00007F0738AFBE68h 0x0000002c popad 0x0000002d push dword ptr [ebp+04h] 0x00000030 jmp 00007F0738AFBE60h 0x00000035 push dword ptr [ebp+0Ch] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007F0738AFBE5Dh 0x00000040 mov ax, 7CB7h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220298 second address: 52202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B75 second address: 5240B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240B7B second address: 5240B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524080F second address: 5240813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240813 second address: 5240819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240819 second address: 524088F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0738AFBE5Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 call 00007F0738AFBE64h 0x00000016 pop edi 0x00000017 call 00007F0738AFBE5Eh 0x0000001c jmp 00007F0738AFBE62h 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F0738AFBE61h 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bh, 71h 0x00000030 mov esi, 61AC774Bh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524088F second address: 5240895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240895 second address: 5240899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240760 second address: 5240766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240766 second address: 524076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524076C second address: 5240770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240770 second address: 5240798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d movsx edx, ax 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240798 second address: 52407B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52407B5 second address: 52407C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240495 second address: 5240512 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738B194DCh 0x00000012 and ax, C4F8h 0x00000017 jmp 00007F0738B194DBh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F0738B194E8h 0x00000023 xor esi, 01D21F58h 0x00000029 jmp 00007F0738B194DBh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007F0738B194E6h 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F0738B194DAh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240512 second address: 5240518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240518 second address: 524051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524051E second address: 5240522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E0F second address: 5280E1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E1D second address: 5280E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E21 second address: 5280E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E25 second address: 5280E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E2B second address: 5280E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E31 second address: 5280E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280E35 second address: 5280E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0738B194DEh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F0738B194DEh 0x0000001a and ch, FFFFFFF8h 0x0000001d jmp 00007F0738B194DBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 call 00007F0738B194E6h 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526045C second address: 5260471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0DD5EDFFh 0x00000008 mov cx, 6B1Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260471 second address: 52604AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, B8h 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F0738B194DAh 0x0000000f pop esi 0x00000010 mov dh, 67h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F0738B194DAh 0x00000019 mov ebp, esp 0x0000001b jmp 00007F0738B194E0h 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604AF second address: 52604CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52604CC second address: 5260502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0738B194E7h 0x00000008 mov bx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738B194E1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260502 second address: 526052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738AFBE5Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240666 second address: 524066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524066D second address: 524067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067B second address: 524067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 524067F second address: 5240685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5240685 second address: 52406FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DEh 0x00000013 sub ax, 6178h 0x00000018 jmp 00007F0738B194DBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0738B194E8h 0x00000024 xor ecx, 4BAFFBD8h 0x0000002a jmp 00007F0738B194DBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F0738B194E5h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260019 second address: 5260050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f push eax 0x00000010 jmp 00007F0738AFBE5Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260050 second address: 5260054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260054 second address: 526006F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526006F second address: 5260075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260075 second address: 5260079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260079 second address: 526007D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 526007D second address: 5260093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5260093 second address: 52600AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dl, 63h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194DBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528067A second address: 5280680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280680 second address: 5280684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280684 second address: 5280688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280688 second address: 52806A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0738B194E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806A8 second address: 52806AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806AE second address: 52806B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806B2 second address: 52806FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F0738AFBE66h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738AFBE67h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52806FF second address: 5280728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop esi 0x0000000f mov edx, 387DAAFAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280728 second address: 528074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE5Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528074D second address: 5280772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280772 second address: 52807B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 mov eax, dword ptr [774365FCh] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 mov ch, bl 0x00000014 popad 0x00000015 popad 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F0738AFBE62h 0x00000021 xor esi, 6FF0D558h 0x00000027 jmp 00007F0738AFBE5Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807B2 second address: 52807EC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0738B194E4h 0x0000000b movzx esi, di 0x0000000e pop edx 0x0000000f popad 0x00000010 je 00007F07AAC4C66Bh 0x00000016 pushad 0x00000017 mov cx, 0BEFh 0x0000001b mov al, 78h 0x0000001d popad 0x0000001e mov ecx, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov eax, 06B6CEDFh 0x00000028 mov cl, 79h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52807EC second address: 528087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F0738AFBE61h 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 call 00007F0738AFBE5Ch 0x0000001a pushfd 0x0000001b jmp 00007F0738AFBE62h 0x00000020 and cx, 1ED8h 0x00000025 jmp 00007F0738AFBE5Bh 0x0000002a popfd 0x0000002b pop esi 0x0000002c mov di, 2C1Ch 0x00000030 popad 0x00000031 ror eax, cl 0x00000033 jmp 00007F0738AFBE5Bh 0x00000038 leave 0x00000039 jmp 00007F0738AFBE66h 0x0000003e retn 0004h 0x00000041 nop 0x00000042 mov esi, eax 0x00000044 lea eax, dword ptr [ebp-08h] 0x00000047 xor esi, dword ptr [00921014h] 0x0000004d push eax 0x0000004e push eax 0x0000004f push eax 0x00000050 lea eax, dword ptr [ebp-10h] 0x00000053 push eax 0x00000054 call 00007F073D49CCA9h 0x00000059 push FFFFFFFEh 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 528087B second address: 5280881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5280881 second address: 52808C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F0738AFBE60h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F073D49CCDAh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a mov ecx, 0E8C2B0Dh 0x0000001f mov ax, 6B09h 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov ecx, 362A7241h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230012 second address: 5230039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738B194E5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230039 second address: 5230049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230049 second address: 52300AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0738B194DFh 0x00000013 or ax, 435Eh 0x00000018 jmp 00007F0738B194E9h 0x0000001d popfd 0x0000001e mov di, si 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0738B194E9h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300AB second address: 52300B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300B1 second address: 52300FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0738B194E5h 0x00000011 or ax, 45A6h 0x00000016 jmp 00007F0738B194E1h 0x0000001b popfd 0x0000001c mov ecx, 776A1CD7h 0x00000021 popad 0x00000022 and esp, FFFFFFF8h 0x00000025 pushad 0x00000026 mov ax, CFCFh 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FB second address: 52300FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52300FF second address: 5230103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230103 second address: 5230120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0738AFBE63h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230120 second address: 5230174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 pushfd 0x00000011 jmp 00007F0738B194DFh 0x00000016 add ax, 339Eh 0x0000001b jmp 00007F0738B194E9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230174 second address: 52301BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F0738AFBE5Eh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F0738AFBE60h 0x00000015 push eax 0x00000016 jmp 00007F0738AFBE5Bh 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52301BE second address: 5230206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F0738B194E0h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F0738B194E0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F0738B194DCh 0x00000020 pop ecx 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230206 second address: 5230230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230230 second address: 5230248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230248 second address: 5230292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f call 00007F0738AFBE64h 0x00000014 mov dh, ch 0x00000016 pop edi 0x00000017 mov eax, 29BD4223h 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0738AFBE65h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230292 second address: 5230298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230298 second address: 52302A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302A6 second address: 52302AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302AE second address: 52302B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B4 second address: 52302B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302B8 second address: 52302BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302BC second address: 52302EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 jmp 00007F0738B194E0h 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 mov cl, E4h 0x00000013 mov si, di 0x00000016 popad 0x00000017 je 00007F07AAC9780Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov si, EA7Dh 0x00000024 movzx esi, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52302EF second address: 523038C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 mov dh, 54h 0x00000016 popad 0x00000017 je 00007F07AAC7A16Ch 0x0000001d jmp 00007F0738AFBE62h 0x00000022 mov edx, dword ptr [esi+44h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0738AFBE5Eh 0x0000002c and eax, 5082DA18h 0x00000032 jmp 00007F0738AFBE5Bh 0x00000037 popfd 0x00000038 mov esi, 59E36DCFh 0x0000003d popad 0x0000003e or edx, dword ptr [ebp+0Ch] 0x00000041 jmp 00007F0738AFBE62h 0x00000046 test edx, 61000000h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F0738AFBE67h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523038C second address: 52303CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F07AAC977C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0738B194E8h 0x00000019 sbb cl, 00000038h 0x0000001c jmp 00007F0738B194DBh 0x00000021 popfd 0x00000022 mov ah, 73h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303CA second address: 52303DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52303DF second address: 523043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007F0738B194DEh 0x00000014 jne 00007F07AAC9776Fh 0x0000001a jmp 00007F0738B194E0h 0x0000001f test bl, 00000007h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 523043A second address: 5230440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230440 second address: 5230444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52208FD second address: 5220901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220901 second address: 5220907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220907 second address: 5220939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0738AFBE67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220939 second address: 5220951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220951 second address: 522098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0738AFBE69h 0x00000012 and si, DC66h 0x00000017 jmp 00007F0738AFBE61h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 522098F second address: 5220995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220995 second address: 52209B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52209B9 second address: 5220A28 instructions: 0x00000000 rdtsc 0x00000002 mov si, 4349h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F0738B194E6h 0x0000000d pushfd 0x0000000e jmp 00007F0738B194E2h 0x00000013 adc ecx, 1FC830C8h 0x00000019 jmp 00007F0738B194DBh 0x0000001e popfd 0x0000001f pop eax 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov cx, 4E37h 0x0000002b pushfd 0x0000002c jmp 00007F0738B194DCh 0x00000031 adc ecx, 67CBB328h 0x00000037 jmp 00007F0738B194DBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A28 second address: 5220A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A40 second address: 5220A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0738B194E2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A67 second address: 5220A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738AFBE5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A79 second address: 5220A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220A7D second address: 5220AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F0738AFBE67h 0x0000000f je 00007F07AAC81746h 0x00000015 jmp 00007F0738AFBE66h 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 jmp 00007F0738AFBE60h 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AD9 second address: 5220ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220ADD second address: 5220AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220AFA second address: 5220B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F07AAC9ED76h 0x0000000f pushad 0x00000010 mov esi, 362DE981h 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 test byte ptr [77436968h], 00000002h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edi 0x00000023 pop ecx 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B22 second address: 5220B8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0738AFBE68h 0x00000008 pop ecx 0x00000009 mov ah, bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F07AAC816C9h 0x00000014 jmp 00007F0738AFBE5Ah 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F0738AFBE5Eh 0x00000023 sub al, 00000058h 0x00000026 jmp 00007F0738AFBE5Bh 0x0000002b popfd 0x0000002c mov si, 5E0Fh 0x00000030 popad 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0738AFBE5Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8B second address: 5220B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B8F second address: 5220B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220B95 second address: 5220BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov eax, 2A340FEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BA9 second address: 5220BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BAD second address: 5220BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220BBB second address: 5220C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0738AFBE61h 0x00000009 jmp 00007F0738AFBE5Bh 0x0000000e popfd 0x0000000f push ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F0738AFBE62h 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov ebx, eax 0x0000001e pushfd 0x0000001f jmp 00007F0738AFBE5Ah 0x00000024 or esi, 5A5E12D8h 0x0000002a jmp 00007F0738AFBE5Bh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0738AFBE64h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C2D second address: 5220C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220C46 second address: 5220C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F0738AFBE5Bh 0x0000000b and esi, 6C9127AEh 0x00000011 jmp 00007F0738AFBE69h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0738AFBE5Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D21 second address: 5220D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5220D27 second address: 5220D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD4F52 second address: AD4F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0738B194DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD518D second address: AD5197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0738AFBE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: AD5197 second address: AD519B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230E32 second address: 5230E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB1 second address: 5230AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230AB5 second address: 5230ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230ABB second address: 5230B1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0738B194E0h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F0738B194E1h 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0738B194E3h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0738B194E5h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B1E second address: 5230B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B24 second address: 5230B42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0738B194E1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 5230B42 second address: 5230B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C0 second address: 52B07C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07C6 second address: 52B07DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738AFBE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07DC second address: 52B07E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E3 second address: 52B07E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52B07E9 second address: 52B0806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0738B194DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A07B7 second address: 52A081D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 87C4h 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pushfd 0x00000013 jmp 00007F0738AFBE5Ch 0x00000018 sub esi, 3F0BCC78h 0x0000001e jmp 00007F0738AFBE5Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 jmp 00007F0738AFBE66h 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0738AFBE67h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A081D second address: 52A0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0823 second address: 52A0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06ED second address: 52A06F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A06F3 second address: 52A0725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A7B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F0738AFBE66h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0738AFBE5Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0725 second address: 52A0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0738B194DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A0737 second address: 52A073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	RDTSC instruction interceptor: First address: 52A073B second address: 52A077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d jmp 00007F0738B194E6h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0738B194E7h 0x0000001c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: 92BBEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AC5DDF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: AF0D84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: ADB5AE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Special instruction interceptor: First address: B4ED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4ABBEF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 645DDF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 670D84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 65B5AE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 6CED8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: ACCB68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Special instruction interceptor: First address: CEAA4D instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: 2660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AB78C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: 27AD1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 25579950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: 2557B200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 6320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: BE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: CE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 7B20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EE80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8430000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: AD40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 9D40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 8830000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3071	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Window / User API: threadDelayed 1340
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1137
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1112
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1142
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1118
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Window / User API: threadDelayed 1153
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 353

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\JgoflcD9Q8N9LvT5krhponwA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Ee4C8pygmuP2wWmHYlaPNRsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\g9ls6tmSqvqEPFEPMTLxj5T8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7cKVSqTv7NnDDL1Bxf0FokVy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\A47mXAfrsBDpojX2UlRMyVjb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\emoDG0nH5rlkVVnXgc1mj5b6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tH2mUUONokvK3vL8ubpXbilZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sx0rXq9mQR9aeLWBWHbPdr14.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3Qu8OOESjPevn9hgYpoGckO6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JLiIrbSzLzOnR0erkK3iGyEU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uhjRBnwj8K4T9LYmtd6M66hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wXamxKfyZPmwZrj3GYJOigy8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VxBZwWSDvyrtFfizMLyM1BzT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uuRE7gXsEM4RR1NoZUBwtrlp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hcidkkgbJV63mERAuLfsQa8h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DTvgIdE1FHJj9FUSxKWXL2RO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SN8aMZWrntrM7YJrmHS2jN15.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\6kv625NXRIyPYKeDaoPyctw3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RqikXgL90rwJFOFaZuJPlBKd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RoyNg8B8qjQgITKbssh3ShCc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MnKGY5RWTeEWMNUxbLjGgu1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HwwnZ3CpAQLjyKlmGEjpSgAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Xi37RtmryfYQA7AgXeZvjKIg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\erPoCjwbFUG1W9A8W6y3CW6b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zFwKnsnVeTcdv2qgWZnCYFfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5t4J6LPx9worlCEV5lJ6PESB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\MpHOHCEEUzMhd1hQeZRzVhhz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\itMidjIgtoMzghFLrzdYkPDa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3kkvcuaTSYv6zr1LL5n1fFGV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\8UpBCIaVf6AAjxJPhsi6WXaA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1nTmHrERKdzkaXW6uWP0ApYm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SSO4jRyuUDShfiudMUcxy9PM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yUsmdV5pQCUMcoI7bnDHRZY9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2pxZ3QGs5RsdEF32wezepFbS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KaHPEM2tjHD1595lRxdfqHsL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wQWWfYa2Wpi02lLWRtocQHQR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QGd5vowLDGLbl9fCzFQRFDz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sNUwctL7GkZ5u0NI0scxfcy0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TjI0ijcIo0xtphiVp90L9Ox0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UNI7mc4Nnga4yNCGVfbOvnYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1YUCcdc2ns8K2t45poUN7Amx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HAM9LOmldo1zWlB6yIg4ket5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EobcTZAHsg9TkKb6ZiDxOQpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OW0IY6qIxwA2vBNesoWOn7tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9xT7E5Pb81hXRamadrxhTcKa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vSXx0NPQvyjoNMnvb7CbbdI3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tLniRa1wNfVBc8wtGlFeZuV5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\wZuV3PgWQZH6WkVb85MHgKez.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iwNl8K5vXvEOpYcZRlgRArUI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xEsbKulN7hG8EPnegeeycsh4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MSGhyVQl8QvU645EqnDaDG5h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ikwgyD2WNrub0XxL5g8QM7GI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SYo7pMEIUYDach25xrEqQtfo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\U56AmqiMe1O1Xr1D2Q9NTKco.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vjbBGdKLPrfqevTO8NoyWGaS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\e9BFbVGJvYbRX1O9pfx94p87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fbQkxrJoAES30cVcdBN8aXwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\DocuWorks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aCC9Y3uZiPILOE7CPQBm3dqe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\XOhApkVOUtZE8u9vX17eosOR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZM1H78lrEQNEMSqAF8jMSK2I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HJ7xEP91cEUeBnkYZsutN6xz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\o8Jx9jV1oAFDNGwS0JdA5742.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\6OLUTXGxeOohIVqZzcEJ5alb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iWlE1PLcvZdqKeIUsVDIfjKo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QgQgG9QxK6KBBiRO6TDiG08X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Jow4Yx3Pjb1bpRyZH3KDPaVs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zkP3dJByFmLvW6zaaFPB4q1s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ULpJp44l4YgbS9xGxpGd4gFD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TB8gyY0giMN6fcZjZLzipP7P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1abyUXPEgy4bZxyXlnZFcHZ5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Gp0jcfXPIousEInbW21jIMsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\b135cfRMuAwZwxqPJGvWitOU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jEBnyzNlpnxYBpX0SzTsilYc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5zJHpAJpIRB1HYZQQAYjkJ25.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oLeePKVd7zLdWzK9yLk3y6uB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\duWjVWTrdvxVwAVHrNA8iMHG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NVX3Pk7yCVoYnwk8B8rP7BRQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NfgsIliNy2FIhgIHRMVtFDp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\bgw33Otai3n3FHEj79p4BuQd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Tp94y9MBurxJFhItxZ95EWw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eRuQ9CSoyYCbA7kgv2O4hBGL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ZoBfdkTi1TzYd4Qho9RGiD49.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zTSMwf6EqjBUbab8YHX1tAIc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GbMT76fl6mAPfbFsS3x29QL1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fCvVPrm4SypzMQ6EiBEadgs1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XJI9AFzBIfKNprDgZXpUs99e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QxCv5P4RWl5NZ4tvZO0mZrz2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3u6RrNmizX68IHHLss9QqKUE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ps.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\kj4vlWepIIui5EUsEpaKN5uf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NzMhoMiQShLnUxfisrCBpUcg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UqEUiSMhaNIUaul1PMLhCUwN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dUJDpd3reHboCY5zymPoYWZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yB6Uf0WkvSc9vwkxXb9qHuqG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\uOTCOcyWGW2C0V1L0OAjLfFo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QHSpBJfT7rENIQ9ncyZXQ7Pm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7oogYDdOsBiWJ9MKZ1L5HbFc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FUb10VYVGNCyaJzEYAYj3GQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dAQPk6VJcRnzNryadPob76ur.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VScSUh49U4ILUy7wHZccpWfB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\s72QQ1HEDtqfs0ltMB4uulZT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\yhDNs5CKgcvWpHQdXrg6et6I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\b7aAk4NsmjOyCEFaPAgyoXSd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\AyNYT4O47VfBk09nQnrCijm6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bhUVpYwvm9Cx2G2Rs1dNzx32.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ilujg24U0DrNyFRHYG8F01Xq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KS0KCSisDq7pEmahBFThP4AT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\p2n3E86Xy4ldROofshdOCL5V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eVxkDSvCJmjQQtpfadM6vVRZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tqElYl8Fl4JU3kvWVy6e00VW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\j5y10uqj39KWgJqNPePuwKtH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\PX9pw9BSDC6GcNiwEOwN9eIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\RTdjK9qJEXQ928Kc9bfdj8uO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\l9eBjdHLCrnnkZZKJdDffPtE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BD2oseXp7BCvMSmO4ZjO5L8H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lGY9WNr93099Iipz5J2xUIwU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fNXuIJPtZ25Cf8AC2M7nLhvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ngPRyE3pVf7AVqsG4El6sbei.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dG8PuyJTCxed1f6M5xR2MLtX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Mpw4JlCHhiliCOOFY4izjnxd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\szmZp5wR4ysalkWrHfDx3ALH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QOC4MrQyBEQHndqZcvBUgBgA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EwtRoEOPYdd062EDD7ELX587.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NXiJY5ksTtPuwWHLdp7c611m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2dRkzCtGWj8VKkanaZyDrBYJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EbkuLW0CG2HYrP9ej87UFUE5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pVHGmT1xb3UJCnVvgRWBUZ7Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oda8FFwXlvLarxOY0ZoPcs8X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\rig4vLmrODGxubaXNA7eu9mO.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

API coverage: 1.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5480	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5020	Thread sleep time: -238119s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5048	Thread sleep time: -244122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep count: 1566 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -46980000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep count: 106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6736	Thread sleep time: -212106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5036	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5064	Thread sleep time: -230115s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 2792	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 5056	Thread sleep time: -224112s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 1056	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 6724	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep count: 245 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep time: -245000s >= -30000s
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe TID: 1824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2120	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3428	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep count: 1340 > 30
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -40200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 6968	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe TID: 404	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3632	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep count: 1137 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7604	Thread sleep time: -2275137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep count: 1112 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7596	Thread sleep time: -2225112s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7588	Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep count: 1142 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7584	Thread sleep time: -2285142s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep count: 1118 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7592	Thread sleep time: -2237118s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep count: 1153 > 30
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7576	Thread sleep time: -2307153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe TID: 7492	Thread sleep count: 330 > 30
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe TID: 7500	Thread sleep time: -31000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 353 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5984	Thread sleep count: 65 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -598266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597503s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -597191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -596342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595561s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -595217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -594123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593717s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7916	Thread sleep time: -1500000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -593117s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -592367s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -591496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -590804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -589711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -588630s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -584595s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -583277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -581637s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -580105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -578479s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -576757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -574695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -572735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -570520s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -566034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -563979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -561729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -559187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -556505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -554105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -549013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -545765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -542766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -539749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -536749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -531088s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -527853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -524644s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -521393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -517771s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -355523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -268824s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -267590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5032	Thread sleep count: 59 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -599243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598784s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8092	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -598472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597920s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597498s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -597014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -596592s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595904s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -595404s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -594398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -593648s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -592085s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -590992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -589911s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -585876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -584558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -582918s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -581386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -579760s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -578038s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -575976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -574016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -571801s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -567315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -565260s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -563010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -560468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -557786s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -555386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -550294s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -547046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -544047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -541030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -538030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -532369s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -529134s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -525925s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -522674s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -519052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -343741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CDB5E FindFirstFileExW,

26_2_001CDB5E

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 591496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 588630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 583277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581637
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 580105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 576757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 572735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 570520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 566034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 561729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 559187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 556505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 554105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 545765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 539749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 536749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 531088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 527853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 524644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 521393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 517771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 355523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 268824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 267590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 590992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 589911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 585876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 584558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 581386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 579760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 578038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 575976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 574016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 571801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 567315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 565260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 563010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 560468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 557786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 555386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 550294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 547046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 544047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 541030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 538030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 532369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 529134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 525925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 522674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 519052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 343741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2567701880.000000000120A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.000000000129A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2648072968.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegAsm.exe, 0000001D.00000002.2663231938.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/U
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: netsh.exe, 00000006.00000003.2206953966.00000223F0F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Traffic.exe, 0000000F.00000002.2321334601.000000000270D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Uni400uni.exe, 00000028.00000002.3022619723.0000025500041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A097E Start: 052A099B End: 052A0995

0_2_052A097E

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001084001\random.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_052A090C rdtsc

0_2_052A090C

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 21_2_00435B70 LdrInitializeThunk,

21_2_00435B70

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

26_2_001C6B6B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001BC08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

26_2_001BC08C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F5E8B mov eax, dword ptr fs:[00000030h]	0_2_008F5E8B
Source: C:\Users\user\Desktop\bUWKfj04aU.exe	Code function: 0_2_008F9B02 mov eax, dword ptr fs:[00000030h]	0_2_008F9B02
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001CA292 mov eax, dword ptr fs:[00000030h]	26_2_001CA292
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C661B mov eax, dword ptr fs:[00000030h]	26_2_001C661B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001CEDB4 GetProcessHeap,

26_2_001CEDB4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001AD2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_001AD2DC
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001C6B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001C6B6B
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_001ADCAA
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001ADE0F SetUnhandledExceptionFilter,	26_2_001ADE0F

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

10_2_02B0AE39

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: gold.exe, 00000011.00000002.2298653868.0000000003815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 0000001B.00000002.2873997217.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58E000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 590000
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C4A008
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3C008
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EE7008
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CEA008
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 96C008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe "C:\Users\user\AppData\Local\Temp\1001053001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe "C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001084001\random.exe "C:\Users\user\AppData\Local\Temp\1001084001\random.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe "C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe "C:\Users\user\AppData\Local\Temp\1001107001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\propro.exe "C:\Users\user\AppData\Roaming\configurationValue\propro.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe "C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe "C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe "C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe"
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown

Source: bUWKfj04aU.exe, bUWKfj04aU.exe, 00000000.00000002.2152807504.0000000000AAA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: l9eBjdHLCrnnkZZKJdDffPtE.exe.45.dr	Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: ISetup8.exe, 00000023.00000003.3016446842.000000000585C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S
Source: Traffic.exe, 0000000F.00000002.2321334601.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DCD47 cpuid

0_2_008DCD47

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001084001\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001108001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001142001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001152001\DocuWorks.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\propro.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001053001\gold.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000187001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000188001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\FirstZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001073001\swiiiii.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001085001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000192001\Uni400uni.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Source: C:\Users\user\Desktop\bUWKfj04aU.exe

Code function: 0_2_008DC54A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_008DC54A

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_00195370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

26_2_00195370

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001D2467 _free,_free,_free,GetTimeZoneInformation,_free,

26_2_001D2467

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe

Code function: 26_2_001972F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

26_2_001972F0

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 26.2.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.NewB.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bUWKfj04aU.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2303988986.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2335483499.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152679736.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2112311636.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2432596544.0000000000191000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2150646728.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\clip64[1].dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000015.00000002.2519215288.0000000000F78000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\Binance*
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: RegAsm.exe, 00000015.00000002.2567701880.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000008.00000002.2542158333.000001A31C51F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: RegAsm.exe, 0000001D.00000002.2642519741.0000000001138000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger LiveY)A%appdata%\Ledger Live

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\tUMORNtejDVyzSMTraAbFIMeGfARtlAOsbGGsGxXak\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\00c07260dc\.purple\accounts.xml	Jump to behavior

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.2567701880.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4976, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.0.alexxxxxxxx.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2217700639.00000000005F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000985001\alexxxxxxxx.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Traffic.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.0.jok.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3c762de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.propro.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b07541.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b8e946.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.alexxxxxxxx.exe.3b05570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Traffic.exe.125f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000000.2550237363.00000000006A1000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2242693260.0000000000A22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2242861766.0000000000342000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271671273.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2371502958.00000000125F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: propro.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\Traffic.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001107001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\configurationValue\propro.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jok[1].exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BE044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	26_2_001BE044
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_00192500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	26_2_00192500
Source: C:\Users\user\AppData\Local\Temp\1001059001\NewB.exe	Code function: 26_2_001BED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	26_2_001BED3B

Windows Analysis Report
bUWKfj04aU.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	1425954
Product:	CloudBasic
Start time:	07:40:54
Start date:	15.04.2024
Sample:	bUWKfj04aU.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b9a582f60e89571526c4a6dacbb6a576
SHA1:	0fe5061a1a4aa43d2ba13e954813746cef08292a
SHA256:	a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report bUWKfj04aU.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
bUWKfj04aU.exe

Malware Threat Intel
Provided by