Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1430545
MD5: 169d873778a229bcb4f010f87930cb28
SHA1: 15d928181a3abe9fc84d21454246676baad444a8
SHA256: f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
Tags: exe
Infos:

Detection

Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1360556
Found malware configuration
Source: explorta.exe.3092.2.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://193.233.132.139/sev56rkm/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exe ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exe ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\1000208001\install.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00833EB0 CryptUnprotectData,CryptUnprotectData, 8_2_00833EB0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0010C2A2 FindFirstFileExW, 4_2_0010C2A2
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001468EE FindFirstFileW,FindClose, 4_2_001468EE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 4_2_0014698F
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 4_2_0013D076
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 4_2_0013D3A9
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00149642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_00149642
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_0014979D
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00149B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 4_2_00149B2B
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 4_2_0013DBBE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00145C97 FindFirstFileW,FindNextFileW,FindClose, 4_2_00145C97
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008333B0 FindFirstFileA,FindNextFileA, 8_2_008333B0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00853B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_00853B20
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007A1F8C FindFirstFileExW, 8_2_007A1F8C
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\Desktop\desktop.ini

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.233.132.167 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 193.233.132.139
Yara detected Generic Downloader
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_0059B670 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 2_2_0059B670
Source: b3168c3d9b.exe, 00000004.00000003.2400801702.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2388488630.00000000010AC000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2384397745.00000000010A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Khttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKILUqSjTYt2f71ZJ2P9hYGW4Hp2Xt35GOU6aMhuUUf_toEQ-l9xZdlwBT30N5fFvMwHQuWC2A equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQxldTP1ZW9BUsk3Wko45Z7zSTp6uFI2fviAMsMcrMT9TUwJBbIAW49EqVoHmRNuN2WFIdGs&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S33782673%3A1713900850107375&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: b3168c3d9b.exe, 00000004.00000003.2348077262.0000000003876000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2409233393.000000000389E000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2351504626.0000000003879000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ_ equals www.youtube.com (Youtube)
Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account[Y equals www.youtube.com (Youtube)
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeHK
Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/0
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/Local
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/a
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/age.Streams.DataWriter
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/erences.SourceAumid
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/f1daa8e86e8e6fbbace30934c49ac47aa495c49#?
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/f1daa8e86e8e8fda7df3081405eac52aa495c49#b
Source: explorta.exe, 00000002.00000002.3253602072.00000000014B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.php
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.php001
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.php12001
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.php1mb3JtLXVybGVuY29kZWQ=
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.php6Eo
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpL
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpPE
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpUsers
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpWindows
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpX
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpbE
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcoded
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcodedlE
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcodeduE
Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phph
Source: explorta.exe, 00000002.00000002.3253602072.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpop
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/sev56rkm/index.phpu
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe.1
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe1.132f
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeAK
Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exer
Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe4
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exepro_botC
Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exer
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exetK
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/random.exe
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exe
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exee
Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe
Source: explorta.exe, 00000002.00000002.3253602072.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe
Source: svchost.exe, 0000001E.00000003.2923000049.000001EFCE589000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2923073504.000001EFCE573000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2705743746.000001EFCE573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000001E.00000003.2502477786.000001EFCECC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2498765635.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000001E.00000003.2490135541.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325462458.000001EFCEC8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2489362309.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000001E.00000003.2490135541.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2489362309.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/tbE%
Source: svchost.exe, 0000001E.00000002.3329736359.000001EFCECB8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000006.00000002.3326223152.000002AF2AC00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2491144426.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2488466722.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2703336556.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2703702572.000001EFCE578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2500832032.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2375556720.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
Source: svchost.exe, 0000001E.00000003.2703702572.000001EFCE578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2500832032.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2375556720.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2488466722.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000001E.00000002.3360389667.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325172143.000001EFCEC53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2878763604.000002AF2A992000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0/go
Source: svchost.exe, 00000006.00000003.2089816565.000002AF2A990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 0000001E.00000002.3325518723.000001EFCECA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3276271710.000001EFCDC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000001E.00000003.2702970756.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2473225757.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scdn
Source: svchost.exe, 0000001E.00000002.3324680464.000001EFCE582000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000001E.00000003.2502477786.000001EFCECC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2498765635.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDCE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.w3.o
Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.co
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355752534.000001EFCE557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/msangcwam
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 00000032.00000002.2781271801.0000000001556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/api
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/2
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/2Oh
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?;#
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132J
Source: 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132icroso/
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132mp
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/e
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=89.187.171.132
Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000177F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=89.187.171.132P
Source: svchost.exe, 00000006.00000002.3344029385.000002AF2AD21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net/
Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326650125.000002AF2AC8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3254546774.000002AF25441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
Source: svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.ex
Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3186101827.000002AF2A99E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3253727463.000000FAF9EFB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3292092512.000002AF26240000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3344315396.000002AF2AF60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3099631479.000002AF2A995000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326170838.000002AF2AAF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe7C:
Source: svchost.exe, 00000006.00000002.3326650125.000002AF2AC8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.ex
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000006.00000003.2089816565.000002AF2AA03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2089816565.000002AF2A990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/FW
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/T
Source: MPGPH131.exe, 00000013.00000002.2500776200.00000000016DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/W
Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000170A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.1326
Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132v
Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132yB
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132S
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132r
Source: svchost.exe, 0000001E.00000002.3325008437.000001EFCEC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000001E.00000002.3325518723.000001EFCECA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325406363.000001EFCEC71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000001E.00000003.2474491603.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/didtou.srfce
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfr
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfe
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806013
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355752534.000001EFCE557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354695879.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001E.00000002.3325008437.000001EFCEC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/li
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDCE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325406363.000001EFCEC71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf(
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfL
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srft
Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfr
Source: svchost.exe, 0000001E.00000002.3290683644.000001EFCDC9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pcss.dll
Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://signup.live.com/signup.aspx
Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.(
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTqUTv
Source: MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTv=
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot1.132
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot:
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botH
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botftW
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botU
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botn
Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botriseproU
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.tIpo
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2531414c80.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300158551.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2324847238.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306724573.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301470542.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2299159768.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304704157.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300712531.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2322536020.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2305456630.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/FX
Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300158551.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2324847238.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306724573.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301470542.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2299159768.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304704157.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300712531.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2322536020.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2305456630.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2492388851.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2446883487.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2447086415.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ_
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 4_2_0014EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_0014ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 4_2_0014EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 4_2_0013AB9C
Installs a raw input device (often for capturing keystrokes)
Source: b3168c3d9b.exe, 00000004.00000003.2348077262.0000000003876000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_GETRAWINPUTDATA memstr_fa19ae17-4
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00169576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 4_2_00169576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: swiiiii[1].exe.44.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.44.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 297472
Binary is likely a compiled AutoIt script file
Source: b3168c3d9b.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5582b073-d
Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_148a7222-4
Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_88050bc7-f
Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_3908aaf6-9
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name: .idata
Source: explorta.exe.0.dr Static PE information: section name:
Source: amert[1].exe.2.dr Static PE information: section name:
Source: amert[1].exe.2.dr Static PE information: section name: .idata
Source: amert[1].exe.2.dr Static PE information: section name:
Source: amert.exe.2.dr Static PE information: section name:
Source: amert.exe.2.dr Static PE information: section name: .idata
Source: amert.exe.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: .idata
Source: random[1].exe0.2.dr Static PE information: section name:
Source: 2531414c80.exe.2.dr Static PE information: section name:
Source: 2531414c80.exe.2.dr Static PE information: section name: .idata
Source: 2531414c80.exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: .idata
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: .idata
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: .idata
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: chrosha.exe.26.dr Static PE information: section name:
Source: chrosha.exe.26.dr Static PE information: section name: .idata
Source: chrosha.exe.26.dr Static PE information: section name:
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013D5EB: CreateFileW,DeviceIoControl,CloseHandle, 4_2_0013D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00131201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 4_2_00131201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 4_2_0013E8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\explorta.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File created: C:\Windows\Tasks\chrosha.job
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D703B 2_2_005D703B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D2480 2_2_005D2480
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D2918 2_2_005D2918
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005C7633 2_2_005C7633
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D6F1B 2_2_005D6F1B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D67C9 2_2_005D67C9
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005D8380 2_2_005D8380
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00142046 4_2_00142046
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D8060 4_2_000D8060
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00138298 4_2_00138298
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0010E4FF 4_2_0010E4FF
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0010676B 4_2_0010676B
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00164873 4_2_00164873
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000FCAA0 4_2_000FCAA0
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000DCAF0 4_2_000DCAF0
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000ECC39 4_2_000ECC39
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00106DD9 4_2_00106DD9
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000EB119 4_2_000EB119
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D91C0 4_2_000D91C0
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F1394 4_2_000F1394
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F1706 4_2_000F1706
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F781B 4_2_000F781B
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D7920 4_2_000D7920
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000E997D 4_2_000E997D
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F19B0 4_2_000F19B0
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F7A4A 4_2_000F7A4A
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F1C77 4_2_000F1C77
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F7CA7 4_2_000F7CA7
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0015BE44 4_2_0015BE44
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00109EEE 4_2_00109EEE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F1F32 4_2_000F1F32
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00868080 8_2_00868080
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007B001D 8_2_007B001D
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008061D0 8_2_008061D0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0084D2B0 8_2_0084D2B0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0084C3E0 8_2_0084C3E0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007EF730 8_2_007EF730
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0084B7E0 8_2_0084B7E0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008AC8D0 8_2_008AC8D0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0077B8E0 8_2_0077B8E0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008449B0 8_2_008449B0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00808A80 8_2_00808A80
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00801A60 8_2_00801A60
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0080CBF0 8_2_0080CBF0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00817D20 8_2_00817D20
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0080AEC0 8_2_0080AEC0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00803ED0 8_2_00803ED0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007FDF60 8_2_007FDF60
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008B40A0 8_2_008B40A0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008A20C0 8_2_008A20C0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007F2100 8_2_007F2100
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00811130 8_2_00811130
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007A7190 8_2_007A7190
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008B3160 8_2_008B3160
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007B035F 8_2_007B035F
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00860350 8_2_00860350
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0079F570 8_2_0079F570
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007C47AD 8_2_007C47AD
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007AC950 8_2_007AC950
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007AA918 8_2_007AA918
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007BDA74 8_2_007BDA74
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008B4AE0 8_2_008B4AE0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00854B90 8_2_00854B90
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00800BA0 8_2_00800BA0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007C8BA0 8_2_007C8BA0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007C8E20 8_2_007C8E20
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00811E40 8_2_00811E40
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0085BFC0 8_2_0085BFC0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_0085CFC0 8_2_0085CFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: String function: 000EF9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: String function: 000F0A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: String function: 000D9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: String function: 0078ACE0 appears 86 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
PE file contains executable resources (Code or Archives)
Source: alexxxxxxxx[1].exe.44.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: swiiiii[1].exe.44.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.44.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: alexxxxxxxx[1].exe.44.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9904153184604905
Source: file.exe Static PE information: Section: wqkjverv ZLIB complexity 0.9948664563962207
Source: explorta.exe.0.dr Static PE information: Section: ZLIB complexity 0.9904153184604905
Source: explorta.exe.0.dr Static PE information: Section: wqkjverv ZLIB complexity 0.9948664563962207
Source: amert[1].exe.2.dr Static PE information: Section: ZLIB complexity 0.9970191976584022
Source: amert[1].exe.2.dr Static PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
Source: amert.exe.2.dr Static PE information: Section: ZLIB complexity 0.9970191976584022
Source: amert.exe.2.dr Static PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
Source: chrosha.exe.26.dr Static PE information: Section: ZLIB complexity 0.9970191976584022
Source: chrosha.exe.26.dr Static PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@134/170@0/32
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001437B5 GetLastError,FormatMessageW, 4_2_001437B5
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001310BF AdjustTokenPrivileges,CloseHandle, 4_2_001310BF
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 4_2_001316C3
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 4_2_001451CD
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0015A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 4_2_0015A67C
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 4_2_0014648E
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 4_2_000D42A2
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess12156
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:12172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:11920:64:WilError_03
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:8384:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:11880:64:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2584
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\5454e6f062 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 2531414c80.exe, 00000008.00000003.2251127325.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300537130.0000000008430000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300108474.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304669864.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301424641.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2292643859.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2346102842.0000000007AAE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2290504477.00000000079B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorta.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorta.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 2531414c80.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 2531414c80.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WerFault.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.5.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: BIT1C07.tmp.6.dr LNK file: ..\..\Roaming\driverRemote_debug\UniversalInstaller.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 1910784 > 1048576
Source: file.exe Static PE information: Raw size of wqkjverv is bigger than: 0x100000 < 0x1a0c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Unpacked PE file: 2.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Unpacked PE file: 3.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Unpacked PE file: 8.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 19.2.MPGPH131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 20.2.MPGPH131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Unpacked PE file: 24.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Unpacked PE file: 26.2.amert.exe.860000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 31.2.RageMP131.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Unpacked PE file: 37.2.chrosha.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Unpacked PE file: 42.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 43.2.RageMP131.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Unpacked PE file: 44.2.chrosha.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Unpacked PE file: 45.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
Binary contains a suspicious time stamp
Source: BIT1659.tmp.6.dr Static PE information: 0xEC3B20ED [Thu Aug 4 12:07:09 2095 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 4_2_000D42DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: clip64.dll.44.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: amert[1].exe.2.dr Static PE information: real checksum: 0x1ebfee should be: 0x1e8c52
Source: cred64[1].dll.44.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: alexxxxxxxx[1].exe.44.dr Static PE information: real checksum: 0x0 should be: 0x1c49ab
Source: explorta.exe.0.dr Static PE information: real checksum: 0x1debc8 should be: 0x1de8d3
Source: cred64.dll.44.dr Static PE information: real checksum: 0x0 should be: 0x14356f
Source: swiiiii[1].exe.44.dr Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: clip64[1].dll.44.dr Static PE information: real checksum: 0x0 should be: 0x2272f
Source: swiiiii.exe.44.dr Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: amert.exe.2.dr Static PE information: real checksum: 0x1ebfee should be: 0x1e8c52
Source: chrosha.exe.26.dr Static PE information: real checksum: 0x1ebfee should be: 0x1e8c52
Source: file.exe Static PE information: real checksum: 0x1debc8 should be: 0x1de8d3
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: wqkjverv
Source: file.exe Static PE information: section name: wmthiooa
Source: file.exe Static PE information: section name: .taggant
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name: .idata
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name: wqkjverv
Source: explorta.exe.0.dr Static PE information: section name: wmthiooa
Source: explorta.exe.0.dr Static PE information: section name: .taggant
Source: amert[1].exe.2.dr Static PE information: section name:
Source: amert[1].exe.2.dr Static PE information: section name: .idata
Source: amert[1].exe.2.dr Static PE information: section name:
Source: amert[1].exe.2.dr Static PE information: section name: nkxbjlfg
Source: amert[1].exe.2.dr Static PE information: section name: kzjaljwy
Source: amert[1].exe.2.dr Static PE information: section name: .taggant
Source: amert.exe.2.dr Static PE information: section name:
Source: amert.exe.2.dr Static PE information: section name: .idata
Source: amert.exe.2.dr Static PE information: section name:
Source: amert.exe.2.dr Static PE information: section name: nkxbjlfg
Source: amert.exe.2.dr Static PE information: section name: kzjaljwy
Source: amert.exe.2.dr Static PE information: section name: .taggant
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: .idata
Source: random[1].exe0.2.dr Static PE information: section name:
Source: random[1].exe0.2.dr Static PE information: section name: unpqzwpm
Source: random[1].exe0.2.dr Static PE information: section name: glmqmaxs
Source: 2531414c80.exe.2.dr Static PE information: section name:
Source: 2531414c80.exe.2.dr Static PE information: section name: .idata
Source: 2531414c80.exe.2.dr Static PE information: section name:
Source: 2531414c80.exe.2.dr Static PE information: section name: unpqzwpm
Source: 2531414c80.exe.2.dr Static PE information: section name: glmqmaxs
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: .idata
Source: sarra[1].exe.2.dr Static PE information: section name:
Source: sarra[1].exe.2.dr Static PE information: section name: xoahvbru
Source: sarra[1].exe.2.dr Static PE information: section name: vfiegpwq
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: .idata
Source: RageMP131.exe.8.dr Static PE information: section name:
Source: RageMP131.exe.8.dr Static PE information: section name: unpqzwpm
Source: RageMP131.exe.8.dr Static PE information: section name: glmqmaxs
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: .idata
Source: MPGPH131.exe.8.dr Static PE information: section name:
Source: MPGPH131.exe.8.dr Static PE information: section name: unpqzwpm
Source: MPGPH131.exe.8.dr Static PE information: section name: glmqmaxs
Source: chrosha.exe.26.dr Static PE information: section name:
Source: chrosha.exe.26.dr Static PE information: section name: .idata
Source: chrosha.exe.26.dr Static PE information: section name:
Source: chrosha.exe.26.dr Static PE information: section name: nkxbjlfg
Source: chrosha.exe.26.dr Static PE information: section name: kzjaljwy
Source: chrosha.exe.26.dr Static PE information: section name: .taggant
Source: cred64[1].dll.44.dr Static PE information: section name: _RDATA
Source: cred64.dll.44.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005AD10C push ecx; ret 2_2_005AD11F
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F0A76 push ecx; ret 4_2_000F0A89
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007A3F49 push ecx; ret 8_2_007A3F5C
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D030B push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D0313 push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D0346 push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D035D push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D038A push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D03B4 push ebx; retf 8_2_050D03FB
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_050D03E2 push ebx; retf 8_2_050D03FB
Source: file.exe Static PE information: section name: entropy: 7.923021973448171
Source: file.exe Static PE information: section name: wqkjverv entropy: 7.95472970828884
Source: explorta.exe.0.dr Static PE information: section name: entropy: 7.923021973448171
Source: explorta.exe.0.dr Static PE information: section name: wqkjverv entropy: 7.95472970828884
Source: amert[1].exe.2.dr Static PE information: section name: entropy: 7.978115259211233
Source: amert[1].exe.2.dr Static PE information: section name: nkxbjlfg entropy: 7.954199818301463
Source: amert.exe.2.dr Static PE information: section name: entropy: 7.978115259211233
Source: amert.exe.2.dr Static PE information: section name: nkxbjlfg entropy: 7.954199818301463
Source: random[1].exe0.2.dr Static PE information: section name: entropy: 7.926018742616288
Source: random[1].exe0.2.dr Static PE information: section name: unpqzwpm entropy: 7.913649772578251
Source: 2531414c80.exe.2.dr Static PE information: section name: entropy: 7.926018742616288
Source: 2531414c80.exe.2.dr Static PE information: section name: unpqzwpm entropy: 7.913649772578251
Source: sarra[1].exe.2.dr Static PE information: section name: entropy: 7.926032184293041
Source: sarra[1].exe.2.dr Static PE information: section name: xoahvbru entropy: 7.912609290174337
Source: RageMP131.exe.8.dr Static PE information: section name: entropy: 7.926018742616288
Source: RageMP131.exe.8.dr Static PE information: section name: unpqzwpm entropy: 7.913649772578251
Source: MPGPH131.exe.8.dr Static PE information: section name: entropy: 7.926018742616288
Source: MPGPH131.exe.8.dr Static PE information: section name: unpqzwpm entropy: 7.913649772578251
Source: chrosha.exe.26.dr Static PE information: section name: entropy: 7.978115259211233
Source: chrosha.exe.26.dr Static PE information: section name: nkxbjlfg entropy: 7.954199818301463
Source: swiiiii[1].exe.44.dr Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.44.dr Static PE information: section name: .text entropy: 7.992152217310619
Source: alexxxxxxxx[1].exe.44.dr Static PE information: section name: .text entropy: 7.940192854489615

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe Jump to dropped file
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe Jump to dropped file
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000208001\install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File created: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmp Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\explorta.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 4_2_000EF98E
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00161C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 4_2_00161C41
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD312 second address: BAD31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD31A second address: BAD31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD31E second address: BAD322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37404 second address: D3742C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1228D24AC8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D266D7 second address: D26715 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F122870CBC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F122870CBD6h 0x00000011 je 00007F122870CBE0h 0x00000017 jmp 00007F122870CBD4h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39FB9 second address: D39FD0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39FD0 second address: D39FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A1DF second address: D3A207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 xor dword ptr [esp], 234BF1CFh 0x0000000d mov cx, 47D9h 0x00000011 lea ebx, dword ptr [ebp+12460E93h] 0x00000017 mov dx, 2738h 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jl 00007F1228D24AB6h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A2C8 second address: D3A2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A2DB second address: D3A2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A2E1 second address: D3A35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F122870CBD3h 0x0000000b pop esi 0x0000000c popad 0x0000000d nop 0x0000000e mov si, cx 0x00000011 and edx, dword ptr [ebp+122D3905h] 0x00000017 push 00000000h 0x00000019 mov esi, 0FB81FD7h 0x0000001e je 00007F122870CBC9h 0x00000024 call 00007F122870CBC9h 0x00000029 pushad 0x0000002a push ebx 0x0000002b jbe 00007F122870CBC6h 0x00000031 pop ebx 0x00000032 pushad 0x00000033 jmp 00007F122870CBCDh 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d jp 00007F122870CBCEh 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F122870CBD0h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A35F second address: D3A369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F1228D24AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A369 second address: D3A388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A388 second address: D3A38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A38F second address: D3A3AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5AA2B second address: D5AA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1228D24AB6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F1228D24AC7h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5AA55 second address: D5AA7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push ebx 0x0000000d jmp 00007F122870CBCBh 0x00000012 pop ebx 0x00000013 jo 00007F122870CBD2h 0x00000019 jg 00007F122870CBC6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58938 second address: D5893E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5893E second address: D5894F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F122870CBC6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5894F second address: D5895A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58AA7 second address: D58AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58C2E second address: D58C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1228D24AC8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58C4E second address: D58C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58D92 second address: D58D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58D9E second address: D58DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58DA2 second address: D58DA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58EF0 second address: D58F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58F08 second address: D58F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F1228D24AB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58F26 second address: D58F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58F2A second address: D58F32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58F32 second address: D58F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F122870CBC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D591D8 second address: D591DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D591DF second address: D591EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F122870CBC6h 0x0000000a jne 00007F122870CBC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D591EF second address: D591F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5951F second address: D59547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jno 00007F122870CBCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F122870CBCFh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59547 second address: D59551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D59551 second address: D59557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A1D7 second address: D5A1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A1DF second address: D5A1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A34B second address: D5A351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A351 second address: D5A355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A355 second address: D5A367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1228D24ABCh 0x0000000c jnp 00007F1228D24AB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A367 second address: D5A36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A4B4 second address: D5A4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A4BA second address: D5A4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A618 second address: D5A61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A61C second address: D5A629 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A629 second address: D5A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F1228D24AB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A638 second address: D5A63C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A63C second address: D5A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A8DD second address: D5A8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D613DF second address: D613E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D613E3 second address: D61411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jc 00007F122870CBF0h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F122870CBCCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D61411 second address: D61415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D61415 second address: D61421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D61421 second address: D61425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A938 second address: D1A93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63F0C second address: D63F28 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F1228D24ABCh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6445A second address: D64462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D645D8 second address: D645E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D645E3 second address: D645EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F122870CBC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66528 second address: D6652C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6652C second address: D66532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66532 second address: D66538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66853 second address: D66869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D669FA second address: D66A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1228D24AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66A05 second address: D66A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66B89 second address: D66B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67522 second address: D67547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F122870CBD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F122870CBC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D675C0 second address: D675C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D675C4 second address: D675CE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D675CE second address: D675D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D675D4 second address: D675D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D675D8 second address: D67633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F1228D24AC8h 0x00000013 jmp 00007F1228D24ABDh 0x00000018 pop edi 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d jmp 00007F1228D24AC2h 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67AEA second address: D67AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67AEE second address: D67AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67BB6 second address: D67BBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D695B9 second address: D69655 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1228D24ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push edx 0x0000000d jne 00007F1228D24AB6h 0x00000013 pop edx 0x00000014 pop esi 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1228D24AB8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xor dword ptr [ebp+122D2122h], eax 0x00000036 push 00000000h 0x00000038 mov esi, 20C90F29h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F1228D24AB8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Bh 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 movzx esi, cx 0x0000005c xchg eax, ebx 0x0000005d jl 00007F1228D24ACFh 0x00000063 jmp 00007F1228D24AC9h 0x00000068 push eax 0x00000069 jl 00007F1228D24AD5h 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69655 second address: D69659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A09F second address: D6A0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AB7D second address: D6AB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A8C5 second address: D6A8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AB83 second address: D6AB87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A8C9 second address: D6A8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AB87 second address: D6AB8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AB8B second address: D6ABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F1228D24ABBh 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D38FDh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F1228D24AB8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+122D3719h] 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c jnc 00007F1228D24AB8h 0x00000042 push esi 0x00000043 pushad 0x00000044 popad 0x00000045 pop esi 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6ABE6 second address: D6ABEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6ABEC second address: D6ABF6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1228D24ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6CBB4 second address: D6CC1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F122870CBC6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D22A5h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F122870CBC8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 jne 00007F122870CBD9h 0x00000039 xchg eax, ebx 0x0000003a jnl 00007F122870CBD4h 0x00000040 push eax 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6FC3B second address: D6FC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ebx 0x0000000d cld 0x0000000e pop edi 0x0000000f add dword ptr [ebp+12462954h], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F1228D24AB8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 jp 00007F1228D24ABCh 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push ebx 0x0000003c push edx 0x0000003d pop edx 0x0000003e pop ebx 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70D62 second address: D70D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70D66 second address: D70D86 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F1228D24AB6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F1228D24ABCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72D01 second address: D72D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F122870CBC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72D12 second address: D72D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6FDE7 second address: D6FDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F122870CBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72D16 second address: D72D20 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6FDF1 second address: D6FDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72D20 second address: D72D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1228D24ABFh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6FDF5 second address: D6FE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edi 0x0000000c add ebx, dword ptr [ebp+12462633h] 0x00000012 pop edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, edx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov edi, dword ptr [ebp+1246281Bh] 0x00000029 mov eax, dword ptr [ebp+122D0F15h] 0x0000002f mov bx, dx 0x00000032 push FFFFFFFFh 0x00000034 cld 0x00000035 sub dword ptr [ebp+12472FF5h], eax 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push edi 0x00000040 pop edi 0x00000041 jmp 00007F122870CBD2h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72D3D second address: D72D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2B712 second address: D2B724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jns 00007F122870CBC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2B724 second address: D2B742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2B742 second address: D2B747 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D75794 second address: D757FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1228D24AB8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+124621A2h], esi 0x00000031 mov bx, 6A13h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F1228D24AB8h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 sub dword ptr [ebp+12461FD3h], eax 0x00000057 mov ebx, dword ptr [ebp+122D3951h] 0x0000005d push eax 0x0000005e push ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 pop edi 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D74A3C second address: D74A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D74B10 second address: D74B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D74B14 second address: D74B1E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7677C second address: D767FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1228D24ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F1228D24AB8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F1228D24AC7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F1228D24AB8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D2887h] 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 jp 00007F1228D24AB6h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D767FC second address: D76801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76801 second address: D76806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76806 second address: D7681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F122870CBC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F122870CBCCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7681E second address: D76822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D75907 second address: D759AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F122870CBC8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov ebx, dword ptr [ebp+122D27A1h] 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov dword ptr [ebp+12482885h], esi 0x00000041 mov eax, dword ptr [ebp+122D0029h] 0x00000047 sub dword ptr [ebp+12461FD3h], edx 0x0000004d push FFFFFFFFh 0x0000004f mov ebx, dword ptr [ebp+122D3759h] 0x00000055 call 00007F122870CBD2h 0x0000005a jmp 00007F122870CBD5h 0x0000005f pop ebx 0x00000060 nop 0x00000061 pushad 0x00000062 jl 00007F122870CBC8h 0x00000068 jc 00007F122870CBD0h 0x0000006e jmp 00007F122870CBCAh 0x00000073 popad 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 jnl 00007F122870CBC6h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D759AD second address: D759B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D759B1 second address: D759B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D776F7 second address: D77786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F1228D24AB8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 add dword ptr [ebp+12461326h], ecx 0x00000027 mov ebx, eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F1228D24AB8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov bx, 46B5h 0x00000049 jmp 00007F1228D24AC6h 0x0000004e push 00000000h 0x00000050 jmp 00007F1228D24AC6h 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D786A3 second address: D786A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7964F second address: D796B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov bx, dx 0x0000000f push 00000000h 0x00000011 jmp 00007F1228D24AC8h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1228D24AB8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 je 00007F1228D24AB8h 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D796B7 second address: D796D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D796D2 second address: D796EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F1228D24AB8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A6D9 second address: D7A6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C75E second address: D7C762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F7BE second address: D7F7C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18D6A second address: D18D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C899 second address: D7C89F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B7B8 second address: D7B7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C89F second address: D7C941 instructions: 0x00000000 rdtsc 0x00000002 je 00007F122870CBD9h 0x00000008 jmp 00007F122870CBD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F122870CBC8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122DB6BFh], esi 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov ebx, dword ptr [ebp+12462733h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov dword ptr [ebp+1247A146h], edx 0x0000004c mov eax, dword ptr [ebp+122D0AE1h] 0x00000052 cld 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push eax 0x00000058 call 00007F122870CBC8h 0x0000005d pop eax 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 add dword ptr [esp+04h], 00000014h 0x0000006a inc eax 0x0000006b push eax 0x0000006c ret 0x0000006d pop eax 0x0000006e ret 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F122870CBD6h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B7BC second address: D7B7C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C941 second address: D7C95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B7C2 second address: D7B7E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C95C second address: D7C969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7D840 second address: D7D844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D800C8 second address: D800D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F122870CBC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C969 second address: D7C973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7D844 second address: D7D84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81E32 second address: D81E3C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D800D4 second address: D800D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C973 second address: D7C979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81E3C second address: D81E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81E42 second address: D81EA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F1228D24AB8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jmp 00007F1228D24ABFh 0x0000002a jne 00007F1228D24ABCh 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D1B08h] 0x00000038 push 00000000h 0x0000003a mov ebx, dword ptr [ebp+122D1A9Fh] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D830E8 second address: D830EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D17E second address: D2D197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F1228D24AC0h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8B932 second address: D8B93C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F122870CBD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8BC11 second address: D8BC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95CF7 second address: D95CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95CFB second address: D95D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1228D24AC5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D18 second address: D95D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D1E second address: D95D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D24 second address: D95D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D28 second address: D95D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F1228D24ABAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D3F second address: D95D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95D55 second address: D95D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1228D24AC7h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D949F1 second address: D94A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9557E second address: D95588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1228D24AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95588 second address: D955A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D955A8 second address: D955AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95847 second address: D9584D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9584D second address: D9585B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 ja 00007F1228D24AB6h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9585B second address: D9587F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F122870CBD5h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F122870CBCDh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F122870CBC6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9587F second address: D95883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D95883 second address: D958A0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F122870CBCFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D958A0 second address: D958A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D282C7 second address: D282DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F122870CBC6h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F122870CBC6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D282DF second address: D282FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1228D24AC3h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D282FD second address: D28312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jno 00007F122870CBC6h 0x0000000c jc 00007F122870CBC6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9AA18 second address: D9AA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9AA1C second address: D9AA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F122870CBCEh 0x0000000c jng 00007F122870CBC6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9ABE1 second address: D9ABE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B02C second address: D9B038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F122870CBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B038 second address: D9B061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007F1228D24AC9h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B061 second address: D9B071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B1E3 second address: D9B1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B1E7 second address: D9B1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B1F1 second address: D9B1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B1F7 second address: D9B1FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B6BD second address: D9B6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F1228D24AB6h 0x0000000b popad 0x0000000c jl 00007F1228D24ABEh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9B6D3 second address: D9B6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F122870CBD1h 0x0000000c pushad 0x0000000d jmp 00007F122870CBCAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0152 second address: DA0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1228D24AB6h 0x0000000a jmp 00007F1228D24AC1h 0x0000000f popad 0x00000010 pushad 0x00000011 jnl 00007F1228D24AB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0177 second address: DA017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA017D second address: DA0182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA030F second address: DA0317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0317 second address: DA0330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24AC3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA04B8 second address: DA04BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0648 second address: DA064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA064E second address: DA0670 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F122870CBD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0A47 second address: DA0A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1228D24AB6h 0x00000009 je 00007F1228D24AB6h 0x0000000f jc 00007F1228D24AB6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 jmp 00007F1228D24AC0h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push ecx 0x00000020 jmp 00007F1228D24ABEh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F1228D24ABAh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0BB5 second address: DA0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F122870CBDBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D24BF8 second address: D24C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnl 00007F1228D24AB8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D24C0B second address: D24C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F122870CBD9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D24C2B second address: D24C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D24C2F second address: D24C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4333 second address: DA4345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABDh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4345 second address: DA434B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA434B second address: DA4355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1228D24AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FA4A second address: D1FA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA94C4 second address: DA94CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA94CB second address: DA94E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F122870CBC6h 0x0000000d jmp 00007F122870CBCBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA94E3 second address: DA950A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1228D24AC9h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA950A second address: DA9511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9511 second address: DA9516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9516 second address: DA9533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F122870CBC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9533 second address: DA9537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DD95 second address: D6DD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DD9B second address: D6DDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDA0 second address: D6DDA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDA5 second address: D6DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1228D24AB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov ch, al 0x00000012 mov dword ptr [ebp+1245E7A2h], ebx 0x00000018 lea eax, dword ptr [ebp+12494B5Bh] 0x0000001e mov cx, ax 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDCD second address: D6DDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDD1 second address: D6DDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDD5 second address: D6DDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DDDB second address: D6DDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E399 second address: D6E3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push esi 0x0000000a jc 00007F122870CBC8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F122870CBD0h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F122870CBCAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E3CE second address: D6E405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jnl 00007F1228D24AC4h 0x00000014 pop eax 0x00000015 mov edx, 1505B3D5h 0x0000001a push D9A6AFCFh 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 jnl 00007F1228D24AB6h 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E4E5 second address: D6E4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E4EB second address: D6E4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F1228D24ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E549 second address: D6E578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b jng 00007F122870CBC8h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 xchg eax, esi 0x00000015 sub edi, dword ptr [ebp+122D3995h] 0x0000001b nop 0x0000001c push edx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E578 second address: D6E583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E583 second address: D6E589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E61C second address: D6E621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E621 second address: D6E626 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EB3F second address: D6EB44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EB44 second address: D6EB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EB4A second address: D6EB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F1228D24AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EB5B second address: D6EBA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b movsx edi, bx 0x0000000e push 0000001Eh 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F122870CBC8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a or dword ptr [ebp+1246DDA5h], ebx 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jno 00007F122870CBC8h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BEC7 second address: D6BED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EF9E second address: D6EFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6EFA4 second address: D6F019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1228D24AC0h 0x0000000b jmp 00007F1228D24ABAh 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F1228D24AB8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov edi, 243CFC9Dh 0x00000031 lea eax, dword ptr [ebp+12494B9Fh] 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F1228D24AB8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov dword ptr [ebp+1245E44Eh], ebx 0x00000057 push eax 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F019 second address: D6F06B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx edx, bx 0x00000010 lea eax, dword ptr [ebp+12494B5Bh] 0x00000016 clc 0x00000017 nop 0x00000018 pushad 0x00000019 push eax 0x0000001a push esi 0x0000001b pop esi 0x0000001c pop eax 0x0000001d pushad 0x0000001e jmp 00007F122870CBD8h 0x00000023 push eax 0x00000024 pop eax 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F06B second address: D6F07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA870A second address: DA870E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA8C4D second address: DA8C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA8C53 second address: DA8C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA8C57 second address: DA8C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAC74B second address: DAC74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAC74F second address: DAC77A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1228D24ABCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F1228D24AC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF548 second address: DAF54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF134 second address: DAF13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB190B second address: DB1926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB14EE second address: DB14FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB14FD second address: DB1501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB4DF7 second address: DB4E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBAC5E second address: DBAC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F122870CBCAh 0x0000000d jmp 00007F122870CBCEh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBAC83 second address: DBAC93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9556 second address: DB955B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB955B second address: DB9569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1228D24AB6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB981D second address: DB9856 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F122870CBCAh 0x00000013 push ecx 0x00000014 jmp 00007F122870CBCDh 0x00000019 jmp 00007F122870CBD3h 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9B0D second address: DB9B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9C33 second address: DB9C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 jmp 00007F122870CBD8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E9B7 second address: D6E9C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E9C5 second address: D6E9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBA99E second address: DBA9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBA9A6 second address: DBA9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCFh 0x00000009 je 00007F122870CBC6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBA9C4 second address: DBA9D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE85C second address: DBE866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE866 second address: DBE88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F1228D24AC4h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE88D second address: DBE893 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE893 second address: DBE8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F1228D24AE0h 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2154F second address: D215A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F122870CBD4h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F122870CBD3h 0x00000019 jmp 00007F122870CBD3h 0x0000001e pushad 0x0000001f jp 00007F122870CBC6h 0x00000025 jp 00007F122870CBC6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB65 second address: DBDB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1228D24AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB71 second address: DBDB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB79 second address: DBDB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB80 second address: DBDB86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB86 second address: DBDB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDB90 second address: DBDBB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F122870CBD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F122870CBC6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDBB7 second address: DBDBC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDBC7 second address: DBDBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDD58 second address: DBDD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007F1228D24AB6h 0x0000000c jmp 00007F1228D24ABEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDFD9 second address: DBDFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F122870CBC6h 0x0000000a je 00007F122870CBC6h 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jc 00007F122870CBC6h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBDFF7 second address: DBE018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1228D24AC8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE018 second address: DBE01C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC463D second address: DC4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4643 second address: DC4649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4649 second address: DC4652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC47B9 second address: DC47BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC47BD second address: DC47E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1228D24AC8h 0x0000000b pushad 0x0000000c jne 00007F1228D24AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4EA7 second address: DC4EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4EAB second address: DC4EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5165 second address: DC5195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F122870CBC6h 0x0000000a jmp 00007F122870CBD5h 0x0000000f popad 0x00000010 pushad 0x00000011 jnc 00007F122870CBC6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 je 00007F122870CBC6h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5195 second address: DC51A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABAh 0x00000007 js 00007F1228D24ABCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC56EA second address: DC56F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC56F2 second address: DC56F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5F7B second address: DC5F84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5F84 second address: DC5F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5F8A second address: DC5F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC5F95 second address: DC5FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABFh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC627A second address: DC627E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC627E second address: DC629B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1228D24AC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA062 second address: DCA066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA1D8 second address: DCA1E4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1228D24AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA34D second address: DCA353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA353 second address: DCA372 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 jmp 00007F1228D24AC1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA372 second address: DCA37C instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA4E2 second address: DCA4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F1228D24AB6h 0x0000000c jne 00007F1228D24AB6h 0x00000012 jno 00007F1228D24AB6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA7CB second address: DCA7D5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F122870CBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCA8FF second address: DCA90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F1228D24AB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCF3E0 second address: DCF3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCF3E4 second address: DCF3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD6B47 second address: DD6B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD6B4D second address: DD6B58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD6B58 second address: DD6B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD6B60 second address: DD6B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F1228D24AB8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD6B71 second address: DD6B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F122870CBC6h 0x0000000a jnl 00007F122870CBC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4C9A second address: DD4CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4CA0 second address: DD4CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4CA5 second address: DD4CE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F1228D24ABDh 0x0000000f pushad 0x00000010 jmp 00007F1228D24AC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4E45 second address: DD4E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5262 second address: DD526E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5558 second address: DD5566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD59BC second address: DD59D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24AC1h 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD59D9 second address: DD59F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F122870CBC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F122870CBCCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD59F2 second address: DD59F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5B56 second address: DD5B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F122870CBCCh 0x0000000c jnc 00007F122870CBC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5B6F second address: DD5B92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F1228D24AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5B92 second address: DD5B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDE15C second address: DDE162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDE162 second address: DDE188 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F122870CBC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F122870CBD5h 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30799 second address: D307A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D307A7 second address: D307B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D307B5 second address: D307CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1228D24AC1h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDB37 second address: DDDB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDB50 second address: DDDB56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDB56 second address: DDDB70 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBD2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDB70 second address: DDDB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDB81 second address: DDDB97 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F122870CBC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jp 00007F122870CBC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C3EE second address: D1C3FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF38B6 second address: DF38EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F122870CBD1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F122870CBC6h 0x00000013 jmp 00007F122870CBD6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF35E9 second address: DF35ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF35ED second address: DF35F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF35F5 second address: DF3600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1228D24AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF3600 second address: DF3606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF81FB second address: DF8206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8206 second address: DF820E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF820E second address: DF8222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1228D24AC2h 0x0000000c je 00007F1228D24AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8222 second address: DF8248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F122870CC00h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F122870CBD6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8248 second address: DF824E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E00020 second address: E00029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E02C24 second address: E02C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E02C28 second address: E02C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0923B second address: E0924B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F1228D24AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0924B second address: E09255 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09255 second address: E09269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1228D24ABFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09269 second address: E09292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F122870CBCDh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F122870CBCFh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09292 second address: E09296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09296 second address: E092B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F122870CBCEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E092B0 second address: E092B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0941B second address: E0941F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0941F second address: E09437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABEh 0x00000007 jc 00007F1228D24AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09437 second address: E0943D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0943D second address: E09441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E095E5 second address: E095FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F122870CBC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jns 00007F122870CBC6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E095FF second address: E09621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1228D24AC9h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09621 second address: E09635 instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBC6h 0x00000008 jne 00007F122870CBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E097D6 second address: E097E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F1228D24AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E097E5 second address: E097FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCDh 0x00000009 popad 0x0000000a jg 00007F122870CBCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09C6A second address: E09C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09DDD second address: E09DFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FC29 second address: E0FC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FC2F second address: E0FC33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FC33 second address: E0FC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FC41 second address: E0FC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FC45 second address: E0FC61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jl 00007F1228D24ABEh 0x0000000f pushad 0x00000010 popad 0x00000011 jns 00007F1228D24AB6h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F703 second address: E0F70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F70C second address: E0F72C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1228D24AB6h 0x00000008 jmp 00007F1228D24AC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F8C1 second address: E0F8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F122870CBC8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F8CE second address: E0F8F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F1228D24AB6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F1228D24AC1h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F1228D24AB8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F8F9 second address: E0F903 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F122870CBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F903 second address: E0F90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2140D second address: E21415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E21415 second address: E21437 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1228D24AB6h 0x00000008 jne 00007F1228D24AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F1228D24ABEh 0x0000001a push edi 0x0000001b pop edi 0x0000001c jng 00007F1228D24AB6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1BAF8 second address: E1BB1D instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBDCh 0x00000008 jne 00007F122870CBC6h 0x0000000e jmp 00007F122870CBD0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2EDED second address: E2EDF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2EDF2 second address: E2EE04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2EE04 second address: E2EE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1228D24AC9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2EE26 second address: E2EE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F122870CBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4A235 second address: E4A23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E494A7 second address: E494B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49F50 second address: E49F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49F54 second address: E49F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F122870CBC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4CF13 second address: E4CF3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC4h 0x00000007 jns 00007F1228D24AB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F1228D24AB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4CF3E second address: E4CF69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F122870CBD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007F122870CBC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4F8EE second address: E4F8F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4FAE3 second address: E4FB17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD4h 0x00000008 jmp 00007F122870CBD4h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4FB17 second address: E4FB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4FB1C second address: E4FB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F122870CBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4FB26 second address: E4FBBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d or edx, 7ADCEC44h 0x00000013 push 00000004h 0x00000015 clc 0x00000016 mov dword ptr [ebp+122D1CC3h], edx 0x0000001c call 00007F1228D24AB9h 0x00000021 pushad 0x00000022 jmp 00007F1228D24AC7h 0x00000027 jmp 00007F1228D24AC3h 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f jnp 00007F1228D24AC2h 0x00000035 jmp 00007F1228D24ABCh 0x0000003a pushad 0x0000003b jbe 00007F1228D24AB6h 0x00000041 jl 00007F1228D24AB6h 0x00000047 popad 0x00000048 popad 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007F1228D24AC2h 0x00000055 jne 00007F1228D24AB6h 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4FBBA second address: E4FBCD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55200CF second address: 55200D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55200D3 second address: 55200D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500DA2 second address: 5500DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500DAE second address: 5500DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500DBF second address: 5500DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24ABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500DCF second address: 5500DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F122870CBCAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500DE6 second address: 5500E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ah, B0h 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F1228D24AC4h 0x00000011 push ecx 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500E09 second address: 5500E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 push edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500E1B second address: 5500E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55500C2 second address: 5550107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F122870CBCCh 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F122870CBD7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5550107 second address: 555011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E007C second address: 54E00B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F122870CBD0h 0x0000000a or ah, 00000058h 0x0000000d jmp 00007F122870CBCBh 0x00000012 popfd 0x00000013 popad 0x00000014 mov ebx, eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F122870CBD1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E00B8 second address: 54E00F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1228D24ABAh 0x00000013 adc ax, 1A18h 0x00000018 jmp 00007F1228D24ABBh 0x0000001d popfd 0x0000001e mov ebx, eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E00F0 second address: 54E0132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBCBh 0x00000008 pushfd 0x00000009 jmp 00007F122870CBD8h 0x0000000e xor cl, FFFFFFA8h 0x00000011 jmp 00007F122870CBCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov ecx, 4077A231h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0132 second address: 54E014E instructions: 0x00000000 rdtsc 0x00000002 mov esi, 52F3306Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1228D24ABAh 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E014E second address: 54E016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E016B second address: 54E019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop edx 0x00000010 mov di, si 0x00000013 popad 0x00000014 popad 0x00000015 push dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1228D24ABAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E019B second address: 54E01B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ebx, 6B092BD4h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E01B8 second address: 54E01BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0215 second address: 54E0226 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 1BC15DDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0226 second address: 54E022C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550067F second address: 5500685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500685 second address: 550068B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550068B second address: 550068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550068F second address: 55006A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, 0CA0997Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006A3 second address: 55006B1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006B1 second address: 55006C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006C4 second address: 5500705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBCDh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F122870CBCEh 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F122870CBD7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55005B6 second address: 55005F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f pushfd 0x00000010 jmp 00007F1228D24AC6h 0x00000015 sub al, FFFFFFB8h 0x00000018 jmp 00007F1228D24ABBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55005F8 second address: 550063F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBCEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F122870CBD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550063F second address: 5500645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500381 second address: 55003BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F122870CBCCh 0x00000011 add cl, FFFFFFE8h 0x00000014 jmp 00007F122870CBCBh 0x00000019 popfd 0x0000001a mov dh, cl 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55003BE second address: 55003D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510124 second address: 5510133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510133 second address: 551015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1228D24ABCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551015F second address: 55101A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD1h 0x00000008 pushfd 0x00000009 jmp 00007F122870CBD0h 0x0000000e adc ch, 00000038h 0x00000011 jmp 00007F122870CBCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ax, bx 0x00000021 mov ax, dx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55101A1 second address: 55101A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55101A7 second address: 55101AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552037C second address: 5520382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520382 second address: 5520386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520386 second address: 552038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552038A second address: 55203A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F122870CBCBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203A0 second address: 55203A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203A7 second address: 55203BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F122870CBCAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203BD second address: 55203C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203C3 second address: 55203C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203C7 second address: 55203CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55203CB second address: 552040F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F122870CBD9h 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 mov edi, ecx 0x00000015 mov si, FCAFh 0x00000019 popad 0x0000001a and dword ptr [eax], 00000000h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F122870CBD1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552040F second address: 552046A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F1228D24AC3h 0x0000000c sub esi, 19BE9A9Eh 0x00000012 jmp 00007F1228D24AC9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and dword ptr [eax+04h], 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007F1228D24AC3h 0x00000027 pop eax 0x00000028 mov esi, edx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500554 second address: 5500559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55201F2 second address: 552022F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1228D24ABEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1228D24ABEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552022F second address: 5520270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBD6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F122870CBD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520270 second address: 552027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55407B1 second address: 55407B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55407B6 second address: 5540835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov esi, 3F236E63h 0x00000015 pushfd 0x00000016 jmp 00007F1228D24AC8h 0x0000001b jmp 00007F1228D24AC5h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F1228D24ABEh 0x00000029 xchg eax, ecx 0x0000002a jmp 00007F1228D24AC0h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F1228D24ABEh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540835 second address: 554085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD1h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, 65BAh 0x00000016 movsx edx, si 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 554085B second address: 5540908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1228D24AC3h 0x00000008 mov edi, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [76FA65FCh] 0x00000012 pushad 0x00000013 mov dl, ah 0x00000015 jmp 00007F1228D24ABDh 0x0000001a popad 0x0000001b test eax, eax 0x0000001d jmp 00007F1228D24ABEh 0x00000022 je 00007F129A707B80h 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov dl, al 0x0000002e popad 0x0000002f mov ecx, eax 0x00000031 pushad 0x00000032 push edi 0x00000033 mov bl, cl 0x00000035 pop edi 0x00000036 pushfd 0x00000037 jmp 00007F1228D24AC8h 0x0000003c and ecx, 7598BE18h 0x00000042 jmp 00007F1228D24ABBh 0x00000047 popfd 0x00000048 popad 0x00000049 xor eax, dword ptr [ebp+08h] 0x0000004c jmp 00007F1228D24ABFh 0x00000051 and ecx, 1Fh 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F1228D24AC5h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540908 second address: 5540918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540918 second address: 554091C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 554091C second address: 5540985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e call 00007F122870CBD9h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F122870CBD7h 0x0000001b mov ax, CA5Fh 0x0000001f popad 0x00000020 popad 0x00000021 leave 0x00000022 jmp 00007F122870CBD2h 0x00000027 retn 0004h 0x0000002a nop 0x0000002b mov esi, eax 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 xor esi, dword ptr [00BA2014h] 0x00000036 push eax 0x00000037 push eax 0x00000038 push eax 0x00000039 lea eax, dword ptr [ebp-10h] 0x0000003c push eax 0x0000003d call 00007F122D0EDC9Fh 0x00000042 push FFFFFFFEh 0x00000044 pushad 0x00000045 mov cl, 74h 0x00000047 push eax 0x00000048 push edx 0x00000049 mov ebx, 34F2910Ch 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540985 second address: 55409D2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1228D24AC5h 0x00000008 sbb ax, 67E6h 0x0000000d jmp 00007F1228D24AC1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007F1228D24AC3h 0x0000001f movzx ecx, dx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55409D2 second address: 5540A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F122D0EDD08h 0x00000011 mov edi, edi 0x00000013 jmp 00007F122870CBD0h 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F122870CBD0h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F122870CBCDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540A1E second address: 5540A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540A24 second address: 5540A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5540A2A second address: 5540A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F003A second address: 54F004D instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, 06E6h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 movsx edx, si 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F004D second address: 54F00BB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1228D24AC2h 0x00000008 or esi, 01510288h 0x0000000e jmp 00007F1228D24ABBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F1228D24AC8h 0x0000001c sub si, 64E8h 0x00000021 jmp 00007F1228D24ABBh 0x00000026 popfd 0x00000027 popad 0x00000028 and esp, FFFFFFF8h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F1228D24AC5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00BB second address: 54F00D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00D8 second address: 54F0100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 39h 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F1228D24AC7h 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ax, DFA1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0100 second address: 54F0120 instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, 6283779Eh 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F122870CBD1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0120 second address: 54F0126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0126 second address: 54F0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jmp 00007F122870CBCFh 0x00000010 mov ebx, dword ptr [ebp+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0149 second address: 54F014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F014D second address: 54F0168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0168 second address: 54F016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F016E second address: 54F0172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0172 second address: 54F0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1228D24AC3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0190 second address: 54F01E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBCFh 0x00000008 mov dx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 mov cx, B9F7h 0x00000016 mov si, FE93h 0x0000001a popad 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007F122870CBD6h 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F122870CBD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F01E8 second address: 54F01EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F01EE second address: 54F021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F122870CBCCh 0x00000010 sbb eax, 2BB80CA8h 0x00000016 jmp 00007F122870CBCBh 0x0000001b popfd 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F021A second address: 54F0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 pushad 0x00000008 mov bx, ax 0x0000000b mov si, 8369h 0x0000000f popad 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F1228D24AC2h 0x00000019 jmp 00007F1228D24AC5h 0x0000001e popfd 0x0000001f pushad 0x00000020 mov edx, ecx 0x00000022 push esi 0x00000023 pop ebx 0x00000024 popad 0x00000025 popad 0x00000026 je 00007F129A752E6Eh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1228D24ABEh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0275 second address: 54F0284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0284 second address: 54F029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F029C second address: 54F02B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F02B1 second address: 54F02B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F02B5 second address: 54F02CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F02CD second address: 54F02D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F02D3 second address: 54F02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F02D7 second address: 54F034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F129A752E02h 0x0000000e jmp 00007F1228D24AC9h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 pushad 0x00000017 push esi 0x00000018 call 00007F1228D24AC3h 0x0000001d pop eax 0x0000001e pop edi 0x0000001f mov ebx, eax 0x00000021 popad 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 jmp 00007F1228D24AC0h 0x0000002a test edx, 61000000h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F1228D24AC7h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F034D second address: 54F03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F129A13AEE4h 0x0000000f jmp 00007F122870CBCEh 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 jmp 00007F122870CBD0h 0x0000001d jne 00007F129A13AED5h 0x00000023 jmp 00007F122870CBD0h 0x00000028 test bl, 00000007h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F122870CBD7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E078D second address: 54E07CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1228D24AC1h 0x00000009 sub esi, 188FC996h 0x0000000f jmp 00007F1228D24AC1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1228D24ABDh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E07CD second address: 54E07D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E07D2 second address: 54E080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1228D24AC6h 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1228D24AC7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E080D second address: 54E0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F122870CBD3h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0845 second address: 54E084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E084A second address: 54E08DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F122870CBCEh 0x00000013 or ecx, 68A58268h 0x00000019 jmp 00007F122870CBCBh 0x0000001e popfd 0x0000001f movzx ecx, bx 0x00000022 popad 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F122870CBCEh 0x0000002a mov esi, 45333961h 0x0000002f popad 0x00000030 mov dword ptr [esp], ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F122870CBD9h 0x0000003c add eax, 3AA165E6h 0x00000042 jmp 00007F122870CBD1h 0x00000047 popfd 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E08DB second address: 54E08E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E08E0 second address: 54E08EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E08EE second address: 54E093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c pushfd 0x0000000d jmp 00007F1228D24AC6h 0x00000012 add si, EBE8h 0x00000017 jmp 00007F1228D24ABBh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F1228D24AC5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E093D second address: 54E094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E094D second address: 54E0951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0951 second address: 54E0968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F122870CBCAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0968 second address: 54E097E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E097E second address: 54E0982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0982 second address: 54E0A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushfd 0x00000008 jmp 00007F1228D24ABAh 0x0000000d and ecx, 768DB308h 0x00000013 jmp 00007F1228D24ABBh 0x00000018 popfd 0x00000019 pop esi 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007F1228D24ABFh 0x00000022 je 00007F129A75A48Bh 0x00000028 jmp 00007F1228D24AC6h 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F1228D24ABEh 0x0000003b adc ax, A7C8h 0x00000040 jmp 00007F1228D24ABBh 0x00000045 popfd 0x00000046 call 00007F1228D24AC8h 0x0000004b jmp 00007F1228D24AC2h 0x00000050 pop ecx 0x00000051 popad 0x00000052 mov ecx, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A31 second address: 54E0A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A35 second address: 54E0A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A39 second address: 54E0A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A3F second address: 54E0A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A45 second address: 54E0A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A49 second address: 54E0A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F129A75A408h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A5C second address: 54E0A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A63 second address: 54E0ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FA6968h], 00000002h 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 mov edi, eax 0x00000015 popad 0x00000016 jne 00007F129A75A3E1h 0x0000001c pushad 0x0000001d mov ah, 25h 0x0000001f mov ax, bx 0x00000022 popad 0x00000023 mov edx, dword ptr [ebp+0Ch] 0x00000026 pushad 0x00000027 mov ax, bx 0x0000002a mov esi, edi 0x0000002c popad 0x0000002d push ebx 0x0000002e jmp 00007F1228D24AC0h 0x00000033 mov dword ptr [esp], ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0ABC second address: 54E0AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0AC0 second address: 54E0ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BACABB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Special instruction interceptor: First address: 5FCABB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Special instruction interceptor: First address: 90798C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Special instruction interceptor: First address: AD4CBF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 107798C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1244CBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Special instruction interceptor: First address: 8CB7A7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Special instruction interceptor: First address: 8CB895 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Special instruction interceptor: First address: A90C4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Special instruction interceptor: First address: 8CB794 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: EE798C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 10B4CBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: A6B7A7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: A6B895 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: C30C4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Special instruction interceptor: First address: A6B794 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory allocated: 6D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory allocated: 2460000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory allocated: A60000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05560D2E rdtsc 0_2_05560D2E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1272 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1286 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1280 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1258 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1191 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Window / User API: threadDelayed 991 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Window / User API: threadDelayed 1035
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Window / User API: threadDelayed 1385
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe Jump to dropped file
Source: C:\Windows\System32\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe Jump to dropped file
Source: C:\Windows\System32\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000208001\install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6052 Thread sleep time: -52026s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2452 Thread sleep count: 1272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2452 Thread sleep time: -2545272s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4164 Thread sleep count: 1286 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4164 Thread sleep time: -2573286s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6628 Thread sleep count: 1280 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6628 Thread sleep time: -2561280s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2684 Thread sleep count: 216 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2684 Thread sleep time: -6480000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4832 Thread sleep count: 1258 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4832 Thread sleep time: -2517258s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2636 Thread sleep time: -1260000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2472 Thread sleep count: 1191 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2472 Thread sleep time: -2383191s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7064 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe TID: 8188 Thread sleep count: 1035 > 30
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe TID: 8188 Thread sleep count: 213 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7628 Thread sleep count: 37 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1100 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe TID: 8852 Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10860 Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10860 Thread sleep time: -84042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10852 Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10852 Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10868 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10868 Thread sleep time: -78039s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668 Thread sleep count: 162 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668 Thread sleep time: -4860000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5324 Thread sleep time: -1260000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10872 Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10872 Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8112 Thread sleep time: -150000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Thread sleep count: Count: 1035 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Thread sleep count: Count: 1385 delay: -10
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0010C2A2 FindFirstFileExW, 4_2_0010C2A2
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001468EE FindFirstFileW,FindClose, 4_2_001468EE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 4_2_0014698F
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 4_2_0013D076
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 4_2_0013D3A9
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00149642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_00149642
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 4_2_0014979D
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00149B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 4_2_00149B2B
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 4_2_0013DBBE
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00145C97 FindFirstFileW,FindNextFileW,FindClose, 4_2_00145C97
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_008333B0 FindFirstFileA,FindNextFileA, 8_2_008333B0
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00853B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_00853B20
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_007A1F8C FindFirstFileExW, 8_2_007A1F8C
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 4_2_000D42DE
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe File opened: C:\Users\user\Desktop\desktop.ini
Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}B
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWe
Source: svchost.exe, 0000001E.00000003.2431230424.000001EFCEC58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTcpV6VMWare
Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326542226.000002AF2AC57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3254451023.000002AF2542B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.000000000140E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 0000001F.00000003.2387394578.00000000014E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007C0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsta_dat
Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000170A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\signons.sqlite
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2008235072.00000000017F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097eq
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWv>
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097e
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW #
Source: MPGPH131.exe, 00000014.00000002.2539684694.0000000007990000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ill_sync_metadata
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorta.exe, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmp, 2531414c80.exe, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, 2531414c80.exe, 00000018.00000002.2403608510.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmp, RageMP131.exe, 0000001F.00000002.2448644551.000000000106D000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097
Source: b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(a
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&0<
Source: MPGPH131.exe, 00000013.00000002.2507231203.0000000008422000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*k#
Source: MPGPH131.exe, 00000014.00000003.2235461744.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}w>
Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000A78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&U?
Source: amert.exe, 0000001A.00000003.2428413473.00000000011CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{5
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: explorta.exe, 00000002.00000002.3253602072.00000000014B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0wO
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 00000013.00000003.2358561956.00000000085AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}cGVhZm1tZ2RwZmtvZ2tnaGNwaWhh2j4FMS4yLjDgPtDD9agG6D4A6D4G6D4L8D7Qw/WoBsoBWggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgAeACAAQDIPgPSPiBtaGpmYm1kZ2NmamJicGFlb2pvZm9ob2VmZ2llaGphado+ATHgPtDD9agG6D4A8D7Qw/WoBsoBXggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgCeACAAQDIPgPSPiBuY2JqZWxwamNoa3BiaWticGtjY2hraGtibG9kb2FtYdo+BTIuMC4y4D7Qw/WoBug+APA+0MP1qAbKAV8IARAFGAIgACgAMAA4AEAASABQAFgAYABoAngAgAEAyD4D0j4gbmtlaW1ob2dqZHBucGNjb29mcGxpaW1hYWhtYWFvbWXaPgYxLjMuMjHgPtDD9agG6D4A8D7Qw/WoBvgBsiiAAv///////////wGIAgGoAoQXsgIQd6OHVV3LMHKvjeie9v2i18o+1wcKBAgAEAASEgoCCAMSAggIGgIIASIECAAQARoPCg1ub19lbnYtbm9fdmVyIgIIAjJiCAAaLDQ3REVRcGo4SEJTYSsvVEltVys1SkNldVFlUmttNU5NcEpXWkczaFN1RlU9Ii4icFpMaFRhSjIzaE41dVF4d3p1MEsyQ1llcy9kdkp1RTkzVmJJVlYvTG5SQT0iKgA6Cwjz///v9/////8BQikSCjEuMy4xNzcuMTEYBSAAKg5SZWdLZXlOb3RGb3VuZDIHd2luZG93c1ICCAFa/AUJdZMYBFaWU0AR3SQGgZVTRkAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8ZAAAAAAAAAAAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8yFQiH9N6X29eyvKYBEggIABABIJCABDISCNvpsoebrM36GRIGCAAQASAQMhII++qnh8mYwYhfEgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDITCOC54qSdyuvjjgESBggAEAEgEDISCNn9xMr9td2KbRIGCAAQASAQMhIIgteJ4NSXj9E2EgYIABABIBAyEgjmzv2twIj8gn4SBggAEAEgEDIUCKfHy9mkub6BwwESBwgBEAEgkGAyFQiauYjc7KfS3OEBEggIABABIJCABDITCJnwsYm4+NWOLBIHCAEQASCQYDIUCNHJvLvV2cza5wESBwgBEAEgkGAyEwiQrNz7jbLTpQwSBwgBEAEgkGAyEgjVuuKf55342XkSBggAEAEgEDITCPeTqZiGj5aaSRIHCAEQASCQYDISCLPMhM/6sZX2NRIGCAAQASAQMhIIh6SA76Kw0u9WEgYIABABIBAyEwjcx7n5qNnem6MBEgYIABABIBAyFAjKvKW5jY/Wx+cBEgcIARABIJBgMhQIwqf5grzUgKTqARIHCAEQASCQYDIWCJiYntn49dXkggESCQgAEAEggICACDITCMuAzLDq3NSUzwESBggAEAEgEDITCIS9vZeNgI79kgESBggAEAEgEDITCP7Mx9PU/OC9iQESBggAEAEgEDISCNKq8/iqnu6OFRIGCAAQASAQMhQImuHa5M/ohPHnARIHCAEQASCQYHoCCACCAQIYAA==I24SSJlGLqoRv2J'
Source: b3168c3d9b.exe, 00000004.00000002.2415455709.00000000010E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qc
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2026963565.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, explorta.exe, 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmp, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmp, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, 2531414c80.exe, 00000018.00000002.2403608510.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmp, RageMP131.exe, 0000001F.00000002.2448644551.000000000106D000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_051502BB Start: 05150AAE End: 05150340 8_2_051502BB
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05560D2E rdtsc 0_2_05560D2E
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0014EAA2 BlockInput, 4_2_0014EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00102622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00102622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 4_2_000D42DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005C5D0B mov eax, dword ptr fs:[00000030h] 2_2_005C5D0B
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005C9A72 mov eax, dword ptr fs:[00000030h] 2_2_005C9A72
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F4CE8 mov eax, dword ptr fs:[00000030h] 4_2_000F4CE8
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00834130 mov eax, dword ptr fs:[00000030h] 8_2_00834130
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Code function: 8_2_00801A60 mov eax, dword ptr fs:[00000030h] 8_2_00801A60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00130B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 4_2_00130B62
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00102622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00102622
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_000F083F
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F09D5 SetUnhandledExceptionFilter, 4_2_000F09D5
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_000F0C21
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\svchost.exe File created: BIT1659.tmp.6.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 193.233.132.167 80
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1154008
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00131201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 4_2_00131201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_00596E30 ShellExecuteA,Sleep,CreateThread,Sleep, 2_2_00596E30
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0013B226 SendInput,keybd_event, 4_2_0013B226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_001522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 4_2_001522DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00130B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 4_2_00130B62
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00131663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 4_2_00131663
Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmp, b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorta.exe, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Source: b3168c3d9b.exe Binary or memory string: Shell_TrayWnd
Source: 2531414c80.exe, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: /HProgram Manager
Source: amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: twProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005ACBC7 cpuid 2_2_005ACBC7
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000208001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000208001\install.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Code function: 2_2_005AC3CA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 2_2_005AC3CA
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0012D27A GetUserNameW, 4_2_0012D27A
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_0010B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 4_2_0010B952
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 4_2_000D42DE
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 37.2.chrosha.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.chrosha.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.amert.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 45.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000003.2631909972.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1986544625.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.2674415512.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2026683858.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.2633330881.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3263497208.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2026672887.0000000000B41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2019740253.0000000005110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2451043145.0000000000861000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2448505563.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2067162566.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2489688651.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2360399183.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll, type: DROPPED
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2531414c80.exe PID: 8848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 11696, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\walletsn3<
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonC
Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Source: MPGPH131.exe, 00000013.00000002.2507231203.0000000008422000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*I#
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\pYYcSxIhBKAwfJeYUhxRdRWdJVtxceeCaTqdxlePlmkrwxyhCI\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000008001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\RageMP131\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\4d0ab15804\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000147001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
OS version to string mapping found (often used in BOTs)
Source: b3168c3d9b.exe Binary or memory string: WIN_81
Source: b3168c3d9b.exe, 00000004.00000003.2394975883.0000000001189000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: b3168c3d9b.exe Binary or memory string: WIN_XPe
Source: b3168c3d9b.exe, 0000000F.00000003.2486053330.0000000001728000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XPq
Source: b3168c3d9b.exe Binary or memory string: WIN_VISTA
Source: b3168c3d9b.exe Binary or memory string: WIN_7
Source: b3168c3d9b.exe Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2531414c80.exe PID: 8848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 11696, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00151204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 4_2_00151204
Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe Code function: 4_2_00151806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 4_2_00151806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430545 Sample: file.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus / Scanner detection for submitted sample 2->168 170 16 other signatures 2->170 9 file.exe 5 2->9         started        13 chrosha.exe 2->13         started        16 MPGPH131.exe 2->16         started        18 14 other processes 2->18 process3 dnsIp4 104 C:\Users\user\AppData\Local\...\explorta.exe, PE32 9->104 dropped 212 Detected unpacking (changes PE section rights) 9->212 214 Tries to evade debugger and weak emulator (self modifying code) 9->214 216 Tries to detect virtualization through RDTSC time measurements 9->216 20 explorta.exe 2 23 9->20         started        142 185.172.128.19 NADYMSS-ASRU Russian Federation 13->142 144 77.221.151.47 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 13->144 146 193.233.132.234 FREE-NET-ASFREEnetEU Russian Federation 13->146 106 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 13->106 dropped 108 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 13->108 dropped 110 C:\Users\user\AppData\Local\...\install.exe, PE32 13->110 dropped 118 17 other malicious files 13->118 dropped 218 Hides threads from debuggers 13->218 236 2 other signatures 13->236 25 swiiiii.exe 13->25         started        27 rundll32.exe 13->27         started        220 Antivirus detection for dropped file 16->220 222 Tries to steal Mail credentials (via file / registry access) 16->222 224 Machine Learning detection for dropped file 16->224 226 Found many strings related to Crypto-Wallets (likely being stolen) 16->226 29 WerFault.exe 16->29         started        148 23.221.242.90 TISCALI-IT United States 18->148 150 40.126.28.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->150 152 2 other IPs or domains 18->152 112 SystemMechanic_548...38868BD1.exe (copy), PE32 18->112 dropped 114 C:\Users\user\AppData\Local\...\BIT1659.tmp, PE32 18->114 dropped 116 C:\Users\user\...\M5gQOMOo3fGmoJBomt4v2FX.zip, Zip 18->116 dropped 228 Multi AV Scanner detection for dropped file 18->228 230 Benign windows process drops PE files 18->230 232 Binary is likely a compiled AutoIt script file 18->232 234 Tries to harvest and steal browser information (history, passwords, etc) 18->234 31 chrome.exe 18->31         started        33 chrome.exe 18->33         started        35 WerFault.exe 18->35         started        37 4 other processes 18->37 file5 signatures6 process7 dnsIp8 120 193.233.132.139 FREE-NET-ASFREEnetEU Russian Federation 20->120 122 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 20->122 88 C:\Users\user\AppData\Local\...\amert.exe, PE32 20->88 dropped 90 C:\Users\user\AppData\...\2531414c80.exe, PE32 20->90 dropped 92 C:\Users\user\AppData\...\b3168c3d9b.exe, PE32 20->92 dropped 94 4 other malicious files 20->94 dropped 172 Multi AV Scanner detection for dropped file 20->172 174 Detected unpacking (changes PE section rights) 20->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->176 184 5 other signatures 20->184 39 2531414c80.exe 6 61 20->39         started        44 amert.exe 20->44         started        46 b3168c3d9b.exe 1 20->46         started        48 explorta.exe 20->48         started        178 Writes to foreign memory regions 25->178 180 Allocates memory in foreign processes 25->180 182 Injects a PE file into a foreign processes 25->182 50 RegAsm.exe 25->50         started        58 2 other processes 25->58 52 rundll32.exe 27->52         started        54 chrome.exe 31->54         started        56 chrome.exe 33->56         started        file9 signatures10 process11 dnsIp12 124 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 39->124 126 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 39->126 128 172.67.75.166 CLOUDFLARENETUS United States 39->128 96 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 39->96 dropped 98 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 39->98 dropped 100 C:\Users\user\...\cgrqKzIZDKj22M18G57j8co.zip, Zip 39->100 dropped 186 Detected unpacking (changes PE section rights) 39->186 188 Tries to steal Mail credentials (via file / registry access) 39->188 202 6 other signatures 39->202 60 WerFault.exe 39->60         started        63 schtasks.exe 39->63         started        65 schtasks.exe 39->65         started        102 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 44->102 dropped 190 Multi AV Scanner detection for dropped file 44->190 204 3 other signatures 44->204 192 Binary is likely a compiled AutoIt script file 46->192 206 2 other signatures 46->206 67 chrome.exe 9 46->67         started        130 104.21.67.211 CLOUDFLARENETUS United States 50->130 194 Query firmware table information (likely to detect VMs) 50->194 196 Installs new ROOT certificates 50->196 208 2 other signatures 50->208 198 System process connects to network (likely due to code injection or exploit) 52->198 200 Tries to steal Instant Messenger accounts or passwords 52->200 210 3 other signatures 52->210 69 netsh.exe 52->69         started        132 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->132 file13 signatures14 process15 dnsIp16 134 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->134 71 Conhost.exe 60->71         started        73 conhost.exe 63->73         started        75 conhost.exe 65->75         started        136 192.168.2.4 unknown unknown 67->136 138 192.168.2.5 unknown unknown 67->138 140 2 other IPs or domains 67->140 77 chrome.exe 67->77         started        80 chrome.exe 67->80         started        82 chrome.exe 67->82         started        86 2 other processes 67->86 84 conhost.exe 69->84         started        process17 dnsIp18 154 142.250.105.147 GOOGLEUS United States 77->154 156 142.250.105.84 GOOGLEUS United States 77->156 162 9 other IPs or domains 77->162 158 64.233.176.101 GOOGLEUS United States 80->158 160 64.233.185.102 GOOGLEUS United States 82->160
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.139
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
34.117.186.192
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.105.84
 unknown United States
15169 GOOGLEUS false
64.233.176.95
 unknown United States
15169 GOOGLEUS false
52.182.143.212
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
193.233.132.234
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
142.251.15.94
 unknown United States
15169 GOOGLEUS false
172.217.215.94
 unknown United States
15169 GOOGLEUS false
142.250.9.94
 unknown United States
15169 GOOGLEUS false
104.21.67.211
 unknown United States
13335 CLOUDFLARENETUS false
77.221.151.47
 unknown Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU false
40.126.28.22
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.215.95
 unknown United States
15169 GOOGLEUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
142.250.9.138
 unknown United States
15169 GOOGLEUS false
172.67.75.166
 unknown United States
13335 CLOUDFLARENETUS false
20.42.65.92
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.253.124.113
 unknown United States
15169 GOOGLEUS false
193.233.132.167
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.253.124.136
 unknown United States
15169 GOOGLEUS false
142.250.105.147
 unknown United States
15169 GOOGLEUS false
64.233.185.102
 unknown United States
15169 GOOGLEUS false
185.93.1.243
 unknown Czech Republic
60068 CDN77GB false
185.172.128.19
 unknown Russian Federation
50916 NADYMSS-ASRU false
239.255.255.250
 unknown Reserved
unknown unknown false
23.221.242.90
 unknown United States
8612 TISCALI-IT false
64.233.176.101
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.5
127.0.0.1