Windows Analysis Report
AccoutChangersetup.exe

Overview

General Information

Sample name: AccoutChangersetup.exe
Analysis ID: 1431269
MD5: 307639b090b992ebc59cf20903918d90
SHA1: f88d0d80e62d3947c7c3dd5faeddb5eb18fc7cd8
SHA256: fb489711e58eaa124bd751b53049964ba7e647e449c05feea4311feb77b2aacd
Tags: exeStealer
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Found pyInstaller with non standard icon
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: AccoutChangersetup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294398265.00007FF8B90B3000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3291690334.00007FF8B7EEC000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AccountChanger.exe, 00000004.00000003.2347547959.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3295786417.00007FF8BA251000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: AccountChanger.exe, 00000005.00000002.3295463557.00007FF8B9F70000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3292741355.00007FF8B8B36000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294825486.00007FF8B90FB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293271804.00007FF8B8CE7000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: AccountChanger.exe, 00000005.00000002.3292122162.00007FF8B8126000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: AccountChanger.exe, 00000005.00000002.3292122162.00007FF8B8126000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: AccountChanger.exe, 00000005.00000002.3294203045.00007FF8B9092000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293914149.00007FF8B9063000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294825486.00007FF8B90FB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293096753.00007FF8B8CD5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3295065042.00007FF8B93CD000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3292924630.00007FF8B8CB8000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294593111.00007FF8B90C8000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3282303465.0000015D363C0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: AccountChanger.exe, 00000005.00000002.3290350063.00007FF8A8A61000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: AccountChanger.exe, 00000005.00000002.3293517963.00007FF8B8F7D000.00000002.00000001.01000000.00000015.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00452A60 FindFirstFileA,GetLastError, 2_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 2_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 2_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00463CDC
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589909B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 4_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758977820 FindFirstFileExW,FindClose, 4_2_00007FF758977820
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589909B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 5_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758977820 FindFirstFileExW,FindClose, 5_2_00007FF758977820
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 5_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38F82000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3287473971.0000015D3A5E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: AccountChanger.exe, 00000005.00000002.3284977658.0000015D395B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://aka.ms/vcpython27
Source: AccountChanger.exe, 00000005.00000002.3287163389.0000015D3A1C0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2470947110.0000015D3978E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2470947110.0000015D39799000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://bugs.python.org/issue23606)
Source: AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.co
Source: AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.co8
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350222032.000001EDA3F43000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362884253.000001EDA3F44000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38CB0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283143117.0000015D384B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: AccountChanger.exe, 00000005.00000002.3283143117.0000015D384B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2463841665.0000015D388AB000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2463806655.0000015D38CB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.dig
Source: AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/D
Source: AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/D8
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362884253.000001EDA3F44000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350222032.000001EDA3F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digk
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AccountChanger.exe, 00000005.00000002.3287473971.0000015D3A5E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: AccountChanger.exe, 00000005.00000002.3286878095.0000015D39FB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: AccountChanger.exe, 00000005.00000002.3286878095.0000015D39FB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: AccountChanger.exe, 00000005.00000002.3284977658.0000015D395B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/library/unittest.html
Source: AccountChanger.exe, 00000005.00000002.3283886903.0000015D38BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://github.com/ActiveState/appdirs
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38EC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362884253.000001EDA3F44000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: AccountChanger.exe, 00000005.00000002.3283357072.0000015D386B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tip.tcl.tk/48)
Source: AccountChanger.exe, 00000005.00000002.3287258878.0000015D3A2D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348257370.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354318470.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353152382.000001EDA3F41000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348540153.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2355015809.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2349886758.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: AccoutChangersetup.tmp, 00000002.00000003.2348304093.0000000002238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/
Source: AccountChanger.exe, 00000004.00000003.2402793578.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402450812.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402292108.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402793578.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402292108.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402654445.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402654445.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2402450812.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gnu.org/licenses/
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: AccoutChangersetup.tmp, AccoutChangersetup.tmp, 00000002.00000000.2039314837.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.innosetup.com/
Source: AccoutChangersetup.exe, AccoutChangersetup.exe, 00000000.00000000.2035706447.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: AccoutChangersetup.exe, 00000000.00000000.2035706447.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AccoutChangersetup.exe, 00000000.00000003.2038508264.0000000002370000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.exe, 00000000.00000003.2038741071.0000000002148000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.tmp, AccoutChangersetup.tmp, 00000002.00000000.2039314837.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: AccoutChangersetup.exe, 00000000.00000003.2038508264.0000000002370000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.exe, 00000000.00000003.2038741071.0000000002148000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.tmp, 00000002.00000000.2039314837.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38CB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: AccountChanger.exe, 00000004.00000003.2398290422.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2398290422.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://anzeljg.github.io/rin2/book2/2405/docs/tkinter/fonts.html
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283981260.0000015D38EC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://anzeljg.github.io/rin2/book2/2405/docs/tkinter/text.html
Source: AccountChanger.exe, 00000005.00000002.3287028499.0000015D3A0B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/botz
Source: AccountChanger.exe, 00000004.00000003.2380714897.000001EDA3F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugs.ghostscript.com/show_bug.cgi?id=698272)
Source: AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bugs.python.org/issue44497.
Source: AccountChanger.exe, 00000004.00000003.2380041326.000001EDA3F3B000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2363125113.000001EDA3F3A000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2381574470.000001EDA3F3D000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2381574470.000001EDA3F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: AccountChanger.exe, 00000004.00000003.2404575896.000001EDA3F3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2470832979.0000015D388ED000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2470832979.0000015D388ED000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: AccountChanger.exe, 00000005.00000003.2464828704.0000015D38D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/re.html
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38EC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/re.html#
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2464828704.0000015D38CFF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2466342868.0000015D38D45000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2464828704.0000015D38D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539#
Source: AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: AccountChanger.exe, 00000004.00000003.2399742696.000001EDA3F40000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2399742696.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/TomSchimansky/CustomTkinter/wiki/Packaging#windows-pyinstaller-auto-py-to-exe
Source: AccountChanger.exe, 00000005.00000002.3282343042.0000015D36433000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2459902063.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283143117.0000015D384B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2460007638.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: AccountChanger.exe, 00000005.00000002.3284783282.0000015D393B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/packaging
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/packagingSP
Source: AccountChanger.exe, 00000005.00000002.3283357072.0000015D386B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: AccountChanger.exe, 00000005.00000002.3286878095.0000015D39FB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: AccountChanger.exe, 00000004.00000003.2363247984.000001EDA3F3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-pillow/Pillow/issues/1293
Source: AccountChanger.exe, 00000005.00000003.2459902063.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3282844467.0000015D38070000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2460007638.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: AccountChanger.exe, 00000005.00000003.2460007638.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: AccountChanger.exe, 00000005.00000002.3282343042.0000015D36433000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2459902063.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283143117.0000015D384B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2460007638.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: AccountChanger.exe, 00000005.00000002.3282343042.0000015D36433000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2459902063.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283143117.0000015D384B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2460007638.0000015D364CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D38937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: AccountChanger.exe, 00000005.00000002.3285169192.0000015D39735000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283606857.0000015D38937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38CB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D38937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: AccountChanger.exe, 00000005.00000002.3282844467.0000015D38070000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: AccountChanger.exe, 00000005.00000002.3285169192.0000015D3977D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283255304.0000015D385B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A688000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3285169192.0000015D3977D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: AccountChanger.exe, 00000005.00000003.2465661770.0000015D388E0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2464018093.0000015D388E8000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2462706633.0000015D388D0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2462821642.0000015D38878000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2462921582.0000015D388D0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2465201264.0000015D388D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: AccountChanger.exe, 00000005.00000002.3284783282.0000015D393B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: AccountChanger.exe, 00000005.00000002.3287163389.0000015D3A1C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/11993290/truly-custom-font-in-tkinter/30631309#30631309
Source: AccountChanger.exe, 00000005.00000002.3286878095.0000015D39FB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/23836000/can-i-change-the-title-bar-in-tkinter/70724666#70724666
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38DE1000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2467168296.0000015D38D63000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283981260.0000015D38CB0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2464828704.0000015D38CFF000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2466342868.0000015D38D45000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2464828704.0000015D38D4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: AccountChanger.exe, 00000004.00000003.2457347804.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000002.3282342733.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.apple.com/en-us/HT201236
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: AccountChanger.exe, 00000005.00000002.3283981260.0000015D38FA9000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283606857.0000015D38937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: AccountChanger.exe, 00000005.00000002.3283794274.0000015D38AB0000.00000004.00001000.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3284682951.0000015D392B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://upload.pypi.org/legacy/
Source: AccountChanger.exe, 00000005.00000002.3287163389.0000015D3A1C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: AccountChanger.exe, 00000005.00000002.3287258878.0000015D3A2D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: AccountChanger.exe, 00000004.00000003.2380041326.000001EDA3F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: AccountChanger.exe, 00000005.00000002.3282343042.0000015D36433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: AccoutChangersetup.tmp, 00000002.00000003.2348304093.0000000002238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.accountchanger.online/
Source: AccoutChangersetup.exe, 00000000.00000003.2350311833.0000000002140000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.exe, 00000000.00000003.2038181630.0000000002141000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.tmp, 00000002.00000003.2040827676.0000000002238000.00000004.00001000.00020000.00000000.sdmp, AccoutChangersetup.tmp, 00000002.00000003.2348304093.0000000002238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.accountchanger.online/2
Source: AccountChanger.exe, 00000004.00000003.2361924842.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2361159759.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000004.00000003.2353922688.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: AccountChanger.exe, 00000004.00000003.2354072931.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3292236939.00007FF8B815B000.00000002.00000001.01000000.00000016.sdmp, AccountChanger.exe, 00000005.00000002.3290674468.00007FF8A8AD6000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://www.openssl.org/H
Source: AccountChanger.exe, 00000005.00000002.3285169192.0000015D3977D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: AccountChanger.exe, 00000005.00000002.3283606857.0000015D3895D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: AccountChanger.exe, 00000005.00000002.3283357072.0000015D386B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: AccountChanger.exe, 00000005.00000002.3282844467.0000015D38070000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: AccountChanger.exe, 00000005.00000002.3285169192.0000015D39735000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283606857.0000015D38937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Contains functionality for read data from the clipboard
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8492AD0 OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_00007FF8A8492AD0
Contains functionality to modify clipboard data
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8492AD0 OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_00007FF8A8492AD0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8448C00 GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData, 5_2_00007FF8A8448C00
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8448DD0 OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_00007FF8A8448DD0
Contains functionality to read the clipboard data
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84486A0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 5_2_00007FF8A84486A0
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00423B84 NtdllDefWindowProc_A, 2_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004125D8 NtdllDefWindowProc_A, 2_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00478AC0 NtdllDefWindowProc_A, 2_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0042F520 NtdllDefWindowProc_A, 2_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 2_2_00457594
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 2_2_0042E934
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_004555E4
Detected potential crypto function
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_0040840C 0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004706A8 2_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004809F7 2_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004673A4 2_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0043035C 2_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004444C8 2_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004345C4 2_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00444A70 2_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00486BD0 2_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00430EE8 2_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0045F0C4 2_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00445168 2_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0045B174 2_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004352C8 2_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00469404 2_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00445574 2_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004519BC 2_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00487B30 2_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0043DD50 2_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0048DF54 2_2_0048DF54
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758995D6C 4_2_00007FF758995D6C
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758994E20 4_2_00007FF758994E20
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758976780 4_2_00007FF758976780
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589811C0 4_2_00007FF7589811C0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589931CC 4_2_00007FF7589931CC
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589809A0 4_2_00007FF7589809A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589909B4 4_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75898FA08 4_2_00007FF75898FA08
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589813C4 4_2_00007FF7589813C4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758988BA0 4_2_00007FF758988BA0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758980BA4 4_2_00007FF758980BA4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75898CC04 4_2_00007FF75898CC04
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758982C04 4_2_00007FF758982C04
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758971B90 4_2_00007FF758971B90
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758998B68 4_2_00007FF758998B68
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758980DB0 4_2_00007FF758980DB0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758992D30 4_2_00007FF758992D30
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75898FA08 4_2_00007FF75898FA08
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986560 4_2_00007FF758986560
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758981E70 4_2_00007FF758981E70
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986F98 4_2_00007FF758986F98
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758980FB4 4_2_00007FF758980FB4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758982800 4_2_00007FF758982800
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758984F50 4_2_00007FF758984F50
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75898D718 4_2_00007FF75898D718
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75898D098 4_2_00007FF75898D098
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75899509C 4_2_00007FF75899509C
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589780A0 4_2_00007FF7589780A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758995820 4_2_00007FF758995820
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758995D6C 5_2_00007FF758995D6C
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589811C0 5_2_00007FF7589811C0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589931CC 5_2_00007FF7589931CC
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589809A0 5_2_00007FF7589809A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589909B4 5_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75898FA08 5_2_00007FF75898FA08
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589813C4 5_2_00007FF7589813C4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758988BA0 5_2_00007FF758988BA0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758980BA4 5_2_00007FF758980BA4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75898CC04 5_2_00007FF75898CC04
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758982C04 5_2_00007FF758982C04
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758971B90 5_2_00007FF758971B90
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758998B68 5_2_00007FF758998B68
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758980DB0 5_2_00007FF758980DB0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758992D30 5_2_00007FF758992D30
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75898FA08 5_2_00007FF75898FA08
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986560 5_2_00007FF758986560
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 5_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758994E20 5_2_00007FF758994E20
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758981E70 5_2_00007FF758981E70
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986F98 5_2_00007FF758986F98
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758980FB4 5_2_00007FF758980FB4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758982800 5_2_00007FF758982800
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758984F50 5_2_00007FF758984F50
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75898D718 5_2_00007FF75898D718
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758976780 5_2_00007FF758976780
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75898D098 5_2_00007FF75898D098
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75899509C 5_2_00007FF75899509C
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589780A0 5_2_00007FF7589780A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758995820 5_2_00007FF758995820
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 5_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8528570 5_2_00007FF8A8528570
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8474060 5_2_00007FF8A8474060
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85191F0 5_2_00007FF8A85191F0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8455380 5_2_00007FF8A8455380
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8451470 5_2_00007FF8A8451470
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85175AE 5_2_00007FF8A85175AE
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A847A9F0 5_2_00007FF8A847A9F0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84F4A60 5_2_00007FF8A84F4A60
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A844CA30 5_2_00007FF8A844CA30
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8446A20 5_2_00007FF8A8446A20
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84F0B40 5_2_00007FF8A84F0B40
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84FCB40 5_2_00007FF8A84FCB40
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84EEB80 5_2_00007FF8A84EEB80
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A844AC50 5_2_00007FF8A844AC50
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8452C00 5_2_00007FF8A8452C00
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A850CCF0 5_2_00007FF8A850CCF0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84F2CF0 5_2_00007FF8A84F2CF0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8450CB0 5_2_00007FF8A8450CB0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84ECD50 5_2_00007FF8A84ECD50
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8458D40 5_2_00007FF8A8458D40
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84CAD10 5_2_00007FF8A84CAD10
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84D0D30 5_2_00007FF8A84D0D30
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84FADD0 5_2_00007FF8A84FADD0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8528E00 5_2_00007FF8A8528E00
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8444EE0 5_2_00007FF8A8444EE0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84FCEB0 5_2_00007FF8A84FCEB0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8484EA0 5_2_00007FF8A8484EA0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8476F10 5_2_00007FF8A8476F10
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A853B050 5_2_00007FF8A853B050
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C5020 5_2_00007FF8A84C5020
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85270F0 5_2_00007FF8A85270F0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C10E0 5_2_00007FF8A84C10E0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84410E0 5_2_00007FF8A84410E0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84E4140 5_2_00007FF8A84E4140
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84FE100 5_2_00007FF8A84FE100
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84B01F0 5_2_00007FF8A84B01F0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84562B0 5_2_00007FF8A84562B0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84BA2A0 5_2_00007FF8A84BA2A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8454340 5_2_00007FF8A8454340
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A849C420 5_2_00007FF8A849C420
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C24E0 5_2_00007FF8A84C24E0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85004E0 5_2_00007FF8A85004E0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84EE4B0 5_2_00007FF8A84EE4B0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C8540 5_2_00007FF8A84C8540
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C4574 5_2_00007FF8A84C4574
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84845A0 5_2_00007FF8A84845A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84C0740 5_2_00007FF8A84C0740
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84B4760 5_2_00007FF8A84B4760
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A848683D 5_2_00007FF8A848683D
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85048F0 5_2_00007FF8A85048F0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85068E0 5_2_00007FF8A85068E0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84628B0 5_2_00007FF8A84628B0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A84A68A0 5_2_00007FF8A84A68A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A87923F1 5_2_00007FF8A87923F1
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8795D9E 5_2_00007FF8A8795D9E
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8932AF0 5_2_00007FF8A8932AF0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8872BC0 5_2_00007FF8A8872BC0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8794D04 5_2_00007FF8A8794D04
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8791B22 5_2_00007FF8A8791B22
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8795B0F 5_2_00007FF8A8795B0F
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A879213F 5_2_00007FF8A879213F
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8794633 5_2_00007FF8A8794633
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A87972C0 5_2_00007FF8A87972C0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A88CAFF0 5_2_00007FF8A88CAFF0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A87AEF00 5_2_00007FF8A87AEF00
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A87929CD 5_2_00007FF8A87929CD
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8796EEC 5_2_00007FF8A8796EEC
Found potential string decryption / allocating functions
Source: C:\AccountChanger\AccountChanger.exe Code function: String function: 00007FF8A8792734 appears 61 times
Source: C:\AccountChanger\AccountChanger.exe Code function: String function: 00007FF8A8535A40 appears 38 times
Source: C:\AccountChanger\AccountChanger.exe Code function: String function: 00007FF758972770 appears 82 times
Source: C:\AccountChanger\AccountChanger.exe Code function: String function: 00007FF8A8791EF1 appears 199 times
Source: C:\AccountChanger\AccountChanger.exe Code function: String function: 00007FF8A8794057 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: String function: 004460A4 appears 59 times
PE file contains executable resources (Code or Archives)
Source: AccoutChangersetup.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: AccoutChangersetup.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: AccoutChangersetup.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-9HL2D.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-9HL2D.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-9HL2D.tmp.2.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: AccoutChangersetup.exe, 00000000.00000003.2038741071.00000000021EE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs AccoutChangersetup.exe
Source: AccoutChangersetup.exe, 00000000.00000003.2038508264.000000000241A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs AccoutChangersetup.exe
Uses 32bit PE files
Source: AccoutChangersetup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus24.spyw.evad.winEXE@10/1039@0/0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589774B0 GetLastError,FormatMessageW,WideCharToMultiByte, 4_2_00007FF7589774B0
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_004555E4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA, 2_2_00455E0C
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A844A2A0 GetModuleHandleW,GetProcAddress,CoInitialize,CoCreateInstance,CoCreateInstance, 5_2_00007FF8A844A2A0
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409C34
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Users\user\Desktop\AccoutChangersetup.exe File created: C:\Users\user\AppData\Local\Temp\is-M482R.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: AccoutChangersetup.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: AccountChanger.exe String found in binary or memory: -startline must be less than or equal to -endline
Source: AccountChanger.exe String found in binary or memory: -help
Source: C:\Users\user\Desktop\AccoutChangersetup.exe File read: C:\Users\user\Desktop\AccoutChangersetup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AccoutChangersetup.exe "C:\Users\user\Desktop\AccoutChangersetup.exe"
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp "C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp" /SL5="$20470,18246292,90112,C:\Users\user\Desktop\AccoutChangersetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process created: C:\AccountChanger\AccountChanger.exe "C:\AccountChanger\AccountChanger.exe"
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\AccountChanger\AccountChanger.exe "C:\AccountChanger\AccountChanger.exe"
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp "C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp" /SL5="$20470,18246292,90112,C:\Users\user\Desktop\AccoutChangersetup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process created: C:\AccountChanger\AccountChanger.exe "C:\AccountChanger\AccountChanger.exe" Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\AccountChanger\AccountChanger.exe "C:\AccountChanger\AccountChanger.exe" Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: version.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: tcl86t.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: tk86t.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: userenv.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: samcli.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: netutils.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: AccountChanger.lnk.2.dr LNK file: ..\..\..\..\..\..\AccountChanger\AccountChanger.exe
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Automated click: I accept the agreement
Source: Window Recorder Window detected: More than 3 window changes detected
Source: AccoutChangersetup.exe Static file information: File size 18495052 > 1048576
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: AccountChanger.exe, 00000004.00000003.2360806532.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294398265.00007FF8B90B3000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: AccountChanger.exe, 00000004.00000003.2362442277.000001EDA3F3F000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3291690334.00007FF8B7EEC000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AccountChanger.exe, 00000004.00000003.2347547959.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3295786417.00007FF8BA251000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: AccountChanger.exe, 00000005.00000002.3295463557.00007FF8B9F70000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: AccountChanger.exe, 00000004.00000003.2348775178.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3292741355.00007FF8B8B36000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294825486.00007FF8B90FB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: AccountChanger.exe, 00000004.00000003.2347662604.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293271804.00007FF8B8CE7000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: AccountChanger.exe, 00000005.00000002.3292122162.00007FF8B8126000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: AccountChanger.exe, 00000005.00000002.3292122162.00007FF8B8126000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: AccountChanger.exe, 00000005.00000002.3294203045.00007FF8B9092000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: AccountChanger.exe, 00000004.00000003.2349395214.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293914149.00007FF8B9063000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: AccountChanger.exe, 00000004.00000003.2348920092.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294825486.00007FF8B90FB000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: AccountChanger.exe, 00000004.00000003.2349250192.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3293096753.00007FF8B8CD5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: AccountChanger.exe, 00000004.00000003.2347784759.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3295065042.00007FF8B93CD000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: AccountChanger.exe, 00000004.00000003.2350074055.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3292924630.00007FF8B8CB8000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: AccountChanger.exe, 00000004.00000003.2349711459.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3294593111.00007FF8B90C8000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: AccountChanger.exe, 00000004.00000003.2354448227.000001EDA3F37000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3282303465.0000015D363C0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: AccountChanger.exe, 00000004.00000003.2349110323.000001EDA3F36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: AccountChanger.exe, 00000005.00000002.3290350063.00007FF8A8A61000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: AccountChanger.exe, 00000005.00000002.3293517963.00007FF8B8F7D000.00000002.00000001.01000000.00000015.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_004502C0
PE file contains sections with non-standard names
Source: is-6MOI9.tmp.2.dr Static PE information: section name: _RDATA
Source: is-EOJ2S.tmp.2.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax 0_2_00408109
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040994C push 00409989h; ret 2_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00483F88 push 00484096h; ret 2_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004062B4 push ecx; mov dword ptr [esp], eax 2_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004104E0 push ecx; mov dword ptr [esp], edx 2_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00412928 push 0041298Bh; ret 2_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00494CAC push ecx; mov dword ptr [esp], ecx 2_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040CE38 push ecx; mov dword ptr [esp], edx 2_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004592D0 push 00459314h; ret 2_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040F398 push ecx; mov dword ptr [esp], edx 2_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00443440 push ecx; mov dword ptr [esp], ecx 2_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040546D push eax; ret 2_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040553D push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004055BE push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00485678 push ecx; mov dword ptr [esp], ecx 2_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0040563B push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004517F8 push 0045182Bh; ret 2_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004519BC push ecx; mov dword ptr [esp], eax 2_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00477B08 push ecx; mov dword ptr [esp], edx 2_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00419C28 push ecx; mov dword ptr [esp], ecx 2_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0045FD1C push ecx; mov dword ptr [esp], ecx 2_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00499D30 pushad ; retf 2_2_00499D3F

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\AccountChanger\AccountChanger.exe Process created: "C:\AccountChanger\AccountChanger.exe"
Drops PE files
Source: C:\AccountChanger\AccountChanger.exe File created: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingmorph.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\Users\user\AppData\Local\Temp\is-E53OT.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\AccoutChangersetup.exe File created: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\Users\user\AppData\Local\Temp\is-E53OT.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\AccountChanger\unins000.exe (copy) Jump to dropped file
Source: C:\AccountChanger\AccountChanger.exe File created: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingft.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\AccountChanger\is-9HL2D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\AccountChanger\AccountChanger.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\AccountChanger\is-EOJ2S.tmp Jump to dropped file
Source: C:\AccountChanger\AccountChanger.exe File created: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingmath.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\AccountChanger\is-6MOI9.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AccountChanger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AccountChanger\AccountChanger.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 2_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004241DC IsIconic,SetActiveWindow,SetFocus, 2_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00424194 IsIconic,SetActiveWindow, 2_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00417598 IsIconic,GetCapture, 2_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 2_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00417CCE IsIconic,SetWindowPos, 2_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 2_2_00417CD0
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A8464370 IsIconic,IsZoomed,AdjustWindowRectEx,SendMessageW,SendMessageW,GetSystemMetrics,MoveWindow,GetWindowRect,GetClientRect,MoveWindow,GetWindowRect,MoveWindow,DrawMenuBar, 5_2_00007FF8A8464370
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_0041F118
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\AccountChanger\AccountChanger.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingmorph.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E53OT.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E53OT.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Dropped PE file which has not been started: C:\AccountChanger\unins000.exe (copy) Jump to dropped file
Source: C:\AccountChanger\AccountChanger.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingft.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Dropped PE file which has not been started: C:\AccountChanger\is-9HL2D.tmp Jump to dropped file
Source: C:\AccountChanger\AccountChanger.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\_imagingmath.cp310-win_amd64.pyd Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\AccountChanger\AccountChanger.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\AccountChanger\AccountChanger.exe API coverage: 6.6 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00452A60 FindFirstFileA,GetLastError, 2_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 2_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 2_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00463CDC
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589909B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 4_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758977820 FindFirstFileExW,FindClose, 4_2_00007FF758977820
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF7589909B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_00007FF7589909B4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 5_2_00007FF758986714
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758977820 FindFirstFileExW,FindClose, 5_2_00007FF758977820
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758986714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 5_2_00007FF758986714
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409B78
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61.1265_ Mu:]
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: guratioamd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.19041.1_none_e0127aac1cc27b15.manifest20dcPC
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7.manifest_syswow64_percpZ
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.19041.1_none_cce38a03f1e40067.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 1.1265_amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79oDevice.dll Du:]
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: h_enginamd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87.manifest_4
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_4d711034023df04d.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bdacc15
Source: AccoutChangersetup.tmp, 00000002.00000003.2348696327.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: olicymaamd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127dll`Fu:]
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1bjter40.dllt
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \Fiamd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.19041.1_none_cbb2f6c087e55fc0.manifest-ms
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: der.dllamd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d_0.dlldll
Source: AccountChanger.exe, 00000005.00000002.3288141520.0000015D3BF60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164.manifestp
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.19041.1_none_642b49da78e510c8.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41bHost
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_165edb2e5d580618.manifest0J
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ospaymeamd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24dll0Iu:]
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.19041.1_none_92013f260f9b1b7b.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.19041.1_none_cbb2f6c087e55fc0.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5.manifest291.cdf-ms
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 9f43986amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.19041.928_none_b394b845725c83f9.manifest1
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.19041.928_none_58e4b5397f9ab13a.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 4384c1damd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586.manifestdf-pF
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.19041.1_none_2cfac380b9544760.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4.manifestPW
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_e16d8a57f6edf359.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: mejp_apamd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_90826ff4620798e4.manifest_52
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd0ebd3d8c
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98vcrt40.dllllp
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040.manifest0
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0p120.dlle
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744itlb.dlll
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda.manifest]
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_90826ff4620798e4.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: r_001e_amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981.manifest752
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.19041.928_en-us_4257e8c2720c2e68.manifest0
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15.manifest0
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-o..n-merged-deployment_31bf3856ad364e35_10.0.19041.1566_none_4d0af6f3ee4c927e.manifest_
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5.manifest`
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.19041.1_none_cb2cd273f2fa3722.manifest
Source: AccountChanger.exe, 00000005.00000003.3027246161.0000015D3BD60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..n-merged-deployment_31bf3856ad364e35_10.0.19041.1566_none_4d0af6f3ee4c927e.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_53df9e1a6706366c.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: llshielamd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24.manifestield_setupd
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06WImage.dll
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.19041.1_none_56baaad119b4f126.manifestell.ope`
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DB_id-iamd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_8b1c06953b85da99.manifestnstPM
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: rintfilamd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fdaatLu:]
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.19041.1_none_e5de88ec9eb30808.manifests
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920.manifestb.ma
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: les_044amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.19041.1_none_8d60e49d6e4b7e60.manifest0
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79.manifest4e
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..r-merged-deployment_31bf3856ad364e35_10.0.19041.1_none_479626a02c4fee1b.manifest
Source: AccoutChangersetup.tmp, 00000002.00000003.2348696327.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: r_0c0c_amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.19041.928_none_58e4b5397f9ab13a.manifest3e5392b.cdf-ms
Source: AccountChanger.exe, 00000005.00000003.3026791036.0000015D3BC60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de.manifestp
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 08e5070amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3.manifesta5e0P\
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b.manifestswow64_inst
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a6732.dlll
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.19041.1_none_31900babde4397db.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_0544b95dbde97edc.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6EG2ENC.DLL
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8ciceAp
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0
Source: AccountChanger.exe, 00000005.00000003.2462283353.0000015D387E4000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000002.3283458199.0000015D387B0000.00000004.00000020.00020000.00000000.sdmp, AccountChanger.exe, 00000005.00000003.2462403404.0000015D387EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWt on%SystemRoot%\system32\mswsock.dllthe socket object.
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: fd6c30eamd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_e16d8a57f6edf359.manifest750
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955.manifestpA
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: samd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_0544b95dbde97edc.manifestst
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de9487ebd5
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.19041.928_none_b394b845725c83f9.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \Fiamd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.19041.1_en-us_4d711034023df04d.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.19041.1_none_89d7babee737651c.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ontactsamd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.19041.1_none_92013f260f9b1b7b.manifestus_e9bc0Y
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.19041.1_none_2cfac380b9544760.manifests
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5.manifestnst
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 64\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.19041.1_none_1aae8085937aee95.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: t.Sourcamd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c2r.dll0
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_165edb2e5d580618.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..p-merged-deployment_31bf3856ad364e35_10.0.19041.1741_none_27157646a7f74243.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..r-merged-deployment_31bf3856ad364e35_10.0.19041.1_none_479626a02c4fee1b.manifest0
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \Fiamd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b.manifestf-ms
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3_
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: llshielamd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2.manifestd_setupdpP
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Compat.amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15`
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 0_modulamd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: poramd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b.exee79ef38f
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.19041.1_none_e0127aac1cc27b15.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13.manifestw64_spee
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.19041.928_en-us_4257e8c2720c2e68.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.19041.1_none_89d7babee737651c.manifest-ms
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.19041.1_none_5cb76f18a25ee556.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6.manifestsp
Source: AccountChanger.exe, 00000005.00000002.3288141520.0000015D3BF60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: f-msamd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.19041.1_none_a0e7047dc07f4f53.manifestest0E
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.19041.1_none_8d60e49d6e4b7e60.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580.dlll
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7PJu:]
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: .cdf-msamd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dabe55amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379.manifestP
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.19041.1_none_56baaad119b4f126.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: .powersamd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.19041.1_none_cce38a03f1e40067.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca841
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_8b1c06953b85da99.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wspoweramd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c1412\
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $_syswoamd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5.manifestriv
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..s-merged-deployment_31bf3856ad364e35_10.0.19041.1741_none_68a612f12d9ba982.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ation_damd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: llshielamd64_microsoft-hyper-v-o..s-merged-deployment_31bf3856ad364e35_10.0.19041.1741_none_68a612f12d9ba982.manifestd
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5cc96dlll
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cb98815amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127.manifest80c.cdf-ms
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cb97d65amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \Fiamd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c.manifest0
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4b11b7a3cc41bP
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5sk.dllll
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: _1.0.1_amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.19041.1_none_a0e7047dc07f4f53.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: r_0010_amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c.manifest011_5cf947280O
Source: AccountChanger.exe, 00000005.00000003.3026791036.0000015D3BC60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ad364e3amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c704038`
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..e-merged-deployment_31bf3856ad364e35_10.0.19041.1415_none_36f742b3b56a2468.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141.manifestnlo`
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3ebp.dll
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 32\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 6bb4866amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8.manifest0db7
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cb98866amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2.manifest-msPR
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: m1etramd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5ulCu:]
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135.manifestP
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.19041.1_none_e5de88ec9eb30808.manifest
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \Fiamd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.19041.1_none_642b49da78e510c8.manifestcdf-ms`
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A734000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611ntIsolationHo
Source: AccountChanger.exe, 00000005.00000003.3002443847.0000015D3BE60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dowspowamd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.19041.1_none_cb2cd273f2fa3722.manifest
Source: AccountChanger.exe, 00000005.00000002.3287657720.0000015D3A708000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758989AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF758989AE4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_004502C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589925A0 GetProcessHeap, 4_2_00007FF7589925A0
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758989AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF758989AE4
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75897AE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF75897AE00
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75897B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF75897B69C
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF75897B880 SetUnhandledExceptionFilter, 4_2_00007FF75897B880
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF758989AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF758989AE4
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75897AE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF75897AE00
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75897B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF75897B69C
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF75897B880 SetUnhandledExceptionFilter, 5_2_00007FF75897B880
Source: C:\AccountChanger\AccountChanger.exe Code function: 5_2_00007FF8A85401DC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF8A85401DC
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 2_2_00478504
Creates a process in suspended mode (likely to inject code)
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\AccountChanger\AccountChanger.exe "C:\AccountChanger\AccountChanger.exe" Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 2_2_0042E09C
Contains functionality to query CPU information (cpuid)
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF7589989B0 cpuid 4_2_00007FF7589989B0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: GetLocaleInfoA, 0_2_0040520C
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: GetLocaleInfoA, 0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: GetLocaleInfoA, 2_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: GetLocaleInfoA, 2_2_004085B4
Source: C:\AccountChanger\AccountChanger.exe Code function: InitCommonControlsEx,RegisterClassW,GetKeyboardLayout,GetLocaleInfoW,TranslateCharsetInfo, 5_2_00007FF8A84669C0
Source: C:\AccountChanger\AccountChanger.exe Code function: OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 5_2_00007FF8A84486A0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\charset_normalizer VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\PIL VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\certifi VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets\fonts\Roboto VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets\icons VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\assets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\appearance_mode VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\appearance_mode VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\appearance_mode\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\appearance_mode VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\appearance_mode VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\core_rendering VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling\__pycache__ VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets\scaling VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\customtkinter\windows\widgets VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\encoding VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl\msgs VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\tcl VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\_socket.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\select.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\pyexpat.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\_queue.pyd VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\base_library.zip VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\setuptools-65.5.0.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922\cryptography-41.0.1.dist-info VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12922 VolumeInformation Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe Queries volume information: C:\AccountChanger\AccountChanger.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 2_2_004585C8
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-M482R.tmp\AccoutChangersetup.tmp Code function: 2_2_0045559C GetUserNameA, 2_2_0045559C
Source: C:\AccountChanger\AccountChanger.exe Code function: 4_2_00007FF758994E20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 4_2_00007FF758994E20
Source: C:\Users\user\Desktop\AccoutChangersetup.exe Code function: 0_2_00405CF4 GetVersionExA, 0_2_00405CF4
Source: C:\AccountChanger\AccountChanger.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\hyphen-data Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\AutofillStates Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OptimizationHints Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PKIMetadata Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GraphiteDawnCache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SSLErrorAssistant Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials Jump to behavior
Source: C:\AccountChanger\AccountChanger.exe File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431269 Sample: AccoutChangersetup.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 24 9 AccoutChangersetup.exe 2 2->9         started        file3 25 C:\Users\user\...\AccoutChangersetup.tmp, PE32 9->25 dropped 12 AccoutChangersetup.tmp 27 22 9->12         started        process4 file5 27 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->29 dropped 31 C:\AccountChanger\unins000.exe (copy), PE32 12->31 dropped 33 4 other files (none is malicious) 12->33 dropped 15 AccountChanger.exe 1001 12->15         started        process6 signatures7 37 Found pyInstaller with non standard icon 15->37 18 AccountChanger.exe 15->18         started        process8 signatures9 35 Tries to harvest and steal browser information (history, passwords, etc) 18->35 21 cmd.exe 1 18->21         started        process10 process11 23 conhost.exe 21->23         started       
No contacted IP infos