Windows Analysis Report
astx_setup.exe

Overview

General Information

Sample Name:	astx_setup.exe
Analysis ID:	755221
MD5:	7dd75b2c2e214c0347df3dc137161b19
SHA1:	072a03d9279d3ecbdb5a76c70a862a75fb50d95b
SHA256:	06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f
Infos:

Detection

GuLoader

Score:	34
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	51
Range:	0 - 100

Signatures

Yara detected AntiVM3

Yara detected GuLoader

Found driver which could be used to inject code into processes

May modify the system service descriptor table (often done to hook functions)

Writes many files with high entropy

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Uses cacls to modify the permissions of files

Drops PE files to the windows directory (C:\Windows)

Yara detected Keylogger Generic

Creates or modifies windows services

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus or Machine Learning detection for unpacked file

Source: 6.3.V3Medic.exe.5b54600.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.3.V3Medic.exe.5ab0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen7
Source: 6.3.V3Medic.exe.6065a80.14.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1007F680 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

0_2_1007F680

Compliance

Uses 32bit PE files

Source: astx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Window detected: < BackI AgreeCancelAhnLab Installation System AhnLab Installation SystemLicense AgreementPlease review the license terms before installing AhnLab Safe Transaction.Press Page Down to see the rest of the agreement.AhnLab Software License AgreementIMPORTANT - READ CAREFULLY BEFORE USING AHNLAB SOFTWARE.This Software License Agreement (this Agreement) is a legal agreement by and between you and AhnLab Inc. (AhnLab) with regard to the use of the software as defined below (AhnLab Software). If you do not agree to be bound by this Agreement you shall not install copy or use AhnLab Software. 1. Definitions 1.1 AhnLab Software means the software that AhnLab develops or produces and holds the rights such as copyright ownership right etc. AhnLab Software may include computer software any media printed materials and online or electronic documents including but not limited to any and all executable files additional functions user manual help files and other files accompanying AhnLab Software. 1.2 Computer means information processors such as server computer user computer etc. that can transmit and receive information through connection with communication networks. 1.3 Appliance means products that AhnLab sells to customers as a separate form of products produced by installing AhnLab Software in hardware equipment. 1.4 Use refers to any and all acts of using AhnLab Software such as storing installing or executing AhnLab Software in the main or auxiliary memory of Computer CD-ROM or other storage devices or displaying AhnLab on the screen. 1.5 Supplier means a person such as its distributor or reseller who entered into a business partnership agreement with AhnLab with regard to the sales of AhnLab Software or has been officially authorized by AhnLab to sell AhnLab Software. 1.6 You or Customer refers to you as a group or an individual that has entered into an agreement with AhnLab or the Supplier for the license to use AhnLab Software (the Purchase Agreement). 1.7 Commercial Product refers to AhnLab Software that AhnLab or the Supplier sells with charges. 1.8 Free Product refers to AhnLab Software that AhnLab or the Supplier provides free of charges. 2. Software License2.1 Restricted License: Subject to your consent to the terms and conditions of this Agreement AhnLab grants the non-exclusive and non-transferrable license to use AhnLab Software during the term of the license (in case of Commercial Product the term set forth in Purchase Agreement and in case of Free Product the term during which AhnLab Software is available for free).2.2 Scope of License: If you are a purchaser of Commercial Product you may install and use as many copies of AhnLab Software as you have agreed to use under the license from AhnLab or the Supplier. If you (i) execute the process of configuration or installation of this Software in a physical and/or virtual environment or (ii) make all or part of the existing instance run on a separate memory through for ex

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txt	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifest	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Product.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\aos.sld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmp	Jump to behavior

Source: astx_setup.exe

Static PE information: certificate valid

Source: astx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_10007633
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_1000776E
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_100157E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,	0_2_10007A49
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007AAA FindFirstFileW,FindClose,	0_2_10007AAA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_10009FBA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,	0_2_100086D8

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp\	Jump to behavior

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%1/CertEnroll/%1_%3%4.crtfile://
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%1/CertEnroll/%3%8%9.crlfile://
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///..
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://allyoucanleet.com/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://broofa.com/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng3.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0Y
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: V3Medic.exe, 00000006.00000003.1378099121.0000000003240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://download.ahnlab.com/down/ahnreport/AhnRpt.exe
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gladman.plushost.co.uk/oldsite/AES/index.php
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/)
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://json.org/).
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mathiasbynens.be/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mattmahoney.net/dc/zpaq.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mattmahoney.net/zpaq/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ncompress.sourceforge.net/
Source: astx_setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng30V
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.ahnlab.com.
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng3ocsp.crt04
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://site.icu-project.org/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.jp/projects/lha/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.net/p/infozip/patches/18/
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wakaba.c3.cx/s/apps/unarchiver.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.7-zip.org/download.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.7-zip.org/sdk.html
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aarongifford.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aescrypt.com/
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=en_US2http://www.ahnlab.com/redir/1101.rdir?locale=en_U
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=ko_KR2http://www.ahnlab.com/redir/1101.rdir?locale=ko_K
Source: V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=sp_ES2http://www.ahnlab.com/redir/1101.rdir?locale=sp_E
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.arjsoftware.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bzip.org/downloads.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cabextract.org.uk/libmspack/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.compression.ru/ds/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/pub/infozip/license.html.
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kmonos.net/lib/xacrett.en.html
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.apple.com/apsl/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.apple.com/source/xnu/xnu-1486.2.11/bsd/vfs/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)MD5
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rarlab.com/rar_add.htm
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wavpack.com/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winace.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/zlib_license.html
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://yuilibrary.com/license/
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%8
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.bandisoft.com
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://code.bandisoft.com/
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/client
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/relay
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/healthcheck
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/zopfli
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/necolas/normalize.css/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wycats/handlebars.js
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wycats/handlebars.js)
Source: V3Medic.exe, 00000006.00000003.1486462149.0000000000611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jp.ahnlab.com/site/support/qna/qnaAddForm2.do;
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/client
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relay
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relayhttps://mgactivation.ahnlab.com/api/auth/v
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/healthcheck
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://opensource.ahnlab.com
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.do
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bandisoft.com
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown

DNS traffic detected: queries for: gms.ahnlab.com

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10081531 WSASetLastError,recv,WSAGetLastError,

0_2_10081531

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: V3Medic.exe PID: 6624, type: MEMORYSTR

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\NSIS.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca2.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\NSIS.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_arm64.nz entropy: 7.99987389692	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_com.nz entropy: 7.99992425007	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_nt32.nz entropy: 7.99994581027	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_x64.nz entropy: 7.99996367978	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_ARM64.nz entropy: 7.99997967236	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Common.nz entropy: 7.99995972837	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_ARM64.nz entropy: 7.99992330835	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_NT32.nz entropy: 7.99991798674	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_X64.nz entropy: 7.99993900021	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_NT32.nz entropy: 7.99995451457	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Res.nz entropy: 7.99808528554	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_X64.nz entropy: 7.99996849744	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_ARM64.nz entropy: 7.99962010979	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_NT32.nz entropy: 7.99968840658	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_X64.nz entropy: 7.9996709535	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_ARM64.nz entropy: 7.99997224914	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_NT32.nz entropy: 7.99997283206	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_X64.nz entropy: 7.99997706581	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_ARM64.nz entropy: 7.99993645268	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_NT32.nz entropy: 7.99993597151	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_X64.nz entropy: 7.99993716897	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_ARM64.nz entropy: 7.99974501255	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_NT32.nz entropy: 7.99971520737	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_X64.nz entropy: 7.99975169927	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_ARM64.nz entropy: 7.99851995659	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_NT32.nz entropy: 7.99884081465	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_X64.nz entropy: 7.99914416454	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Update.nz entropy: 7.99991954609	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\asdahc.nz entropy: 7.99403404133	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\geo.asd entropy: 7.99435509055	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\geo.asd entropy: 7.99435509055	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\gof.dat entropy: 7.99341158373	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\gof.dat entropy: 7.99341158373	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msg.dat entropy: 7.99989526323	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\msg.dat entropy: 7.99989526323	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Prtect.dat entropy: 7.99468772612	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat entropy: 7.99468772612	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tnnipsig.rul entropy: 7.9985827226	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul entropy: 7.9985827226	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\defcfg.db entropy: 7.99346459276	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db entropy: 7.99346459276	Jump to dropped file

System Summary

Uses 32bit PE files

Source: astx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000D6BA AI_ExitWindows,AhnIEx_ExitWindows,		0_2_1000D6BA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1001869A AhnIEx_ExitWindows,AhnIEx_IsWinNT,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,		0_2_1001869A

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File created: C:\Windows\AhnInst.log

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EF060	0_2_100EF060
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A7080	0_2_100A7080
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101150A7	0_2_101150A7
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101130A7	0_2_101130A7
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B30B0	0_2_100B30B0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A30E0	0_2_100A30E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B10E0	0_2_100B10E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B110	0_2_1009B110
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A51C0	0_2_100A51C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C7320	0_2_100C7320
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3320	0_2_100F3320
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009F340	0_2_1009F340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B360	0_2_1009B360
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9380	0_2_100A9380
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A53B0	0_2_100A53B0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A1410	0_2_100A1410
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AB440	0_2_100AB440
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3440	0_2_100F3440
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3450	0_2_100A3450
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3488	0_2_100F3488
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100734F0	0_2_100734F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5550	0_2_100A5550
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B15E0	0_2_100B15E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101135EB	0_2_101135EB
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DF640	0_2_100DF640
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9650	0_2_100A9650
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B3700	0_2_100B3700
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3750	0_2_100A3750
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5760	0_2_100A5760
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008D780	0_2_1008D780
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009F7E0	0_2_1009F7E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DF7F0	0_2_100DF7F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B1800	0_2_100B1800
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F58F0	0_2_100F58F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B920	0_2_1009B920
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EF940	0_2_100EF940
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AD970	0_2_100AD970
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010D98B	0_2_1010D98B
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3A60	0_2_100F3A60
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5A70	0_2_100A5A70
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F5B10	0_2_100F5B10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10113B2F	0_2_10113B2F
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009FBF0	0_2_1009FBF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9C50	0_2_100A9C50
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C3C80	0_2_100C3C80
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DFC80	0_2_100DFC80
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1003DCD0	0_2_1003DCD0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E3CE0	0_2_100E3CE0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E7CF0	0_2_100E7CF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008DD00	0_2_1008DD00
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10073D10	0_2_10073D10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C1D20	0_2_100C1D20
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3D30	0_2_100A3D30
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F5D50	0_2_100F5D50
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5D90	0_2_100A5D90
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3DF0	0_2_100A3DF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FBDF1	0_2_100FBDF1
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C3E10	0_2_100C3E10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C1EF0	0_2_100C1EF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10073F10	0_2_10073F10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5F20	0_2_100A5F20
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B1FA0	0_2_100B1FA0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10105FC2	0_2_10105FC2
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008E058	0_2_1008E058
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A4050	0_2_100A4050
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2080	0_2_100A2080
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AC0E0	0_2_100AC0E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F60E0	0_2_100F60E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA130	0_2_100AA130
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A01A0	0_2_100A01A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F41C0	0_2_100F41C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008A200	0_2_1008A200
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008A229	0_2_1008A229
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F0220	0_2_100F0220
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10114227	0_2_10114227
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A42A0	0_2_100A42A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FC2C6	0_2_100FC2C6
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E8300	0_2_100E8300
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2340	0_2_100A2340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F4340	0_2_100F4340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EE350	0_2_100EE350
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100D0370	0_2_100D0370
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008E390	0_2_1008E390
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008C3E0	0_2_1008C3E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A63F0	0_2_100A63F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA3F0	0_2_100AA3F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10074420	0_2_10074420
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B4430	0_2_100B4430
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B6490	0_2_100B6490
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A44A0	0_2_100A44A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100524D0	0_2_100524D0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A0560	0_2_100A0560
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C45C0	0_2_100C45C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008C5F0	0_2_1008C5F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B4610	0_2_100B4610
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100D6610	0_2_100D6610
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A8630	0_2_100A8630
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2680	0_2_100A2680
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FC69A	0_2_100FC69A
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B2690	0_2_100B2690
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A46C0	0_2_100A46C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA6E0	0_2_100AA6E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100506F0	0_2_100506F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E0770	0_2_100E0770
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000A7B7	0_2_1000A7B7
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10105818 appears 55 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FB0D0 appears 620 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FAF3D appears 44 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10051590 appears 84 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FADEC appears 263 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10017248 appears 51 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F8A0 appears 105 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F950 appears 374 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F970 appears 49 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F8E0 appears 81 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FAADF appears 39 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1000A6E4 appears 49 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1005DA30 appears 48 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10006383 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,_memset,GetLastError,GetLastError,CreateProcessAsUserW,GetLastError,GetLastError,

0_2_10006383

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: astx_setup.exe, 00000000.00000002.2487880272.000000001017D000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: OriginalFilenameAhnIEx.dll( vs astx_setup.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90loc.dll	Jump to behavior

Contains functionality to delete services

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10013A39 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,GetLastError,AhnIEx_SetReboot,GetLastError,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,GetLastError,

0_2_10013A39

Source: C:\Users\user\Desktop\astx_setup.exe

File read: C:\Users\user\Desktop\astx_setup.exe

Jump to behavior

Source: astx_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\astx_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\astx_setup.exe C:\Users\user\Desktop\astx_setup.exe
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1001869A AhnIEx_ExitWindows,AhnIEx_IsWinNT,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,

0_2_1001869A

Source: C:\Users\user\Desktop\astx_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nspB39D.tmp

Jump to behavior

Source: classification engine

Classification label: sus34.rans.troj.evad.winEXE@16/713@3/0

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100162BF __EH_prolog3,CoCreateInstance,_wcsrchr,

0_2_100162BF

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,GetLastError,		0_2_100135A9
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: AI_CreateService2,		0_2_1000E5CE

Source: C:\Users\user\Desktop\astx_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1000D788 AI_GetDiskFreeSpace,AhnIEx_GetDiskFreeSpace,AhnIEx_snprintf,

0_2_1000D788

Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100136B9 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,GetLastError,GetLastError,PeekMessageW,Sleep,QueryServiceStatus,DispatchMessageW,PeekMessageW,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

0_2_100136B9

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_02
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_mutex_ahni2_log_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:304:WilStaging_02
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_SingleInstance_{FF56B785-EF71-461B-AF11-9891E8303723}_ASTX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_02
Source: C:\Users\user\Desktop\astx_setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_Log_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:304:WilStaging_02

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10019718 LoadResource,LockResource,SizeofResource,

0_2_10019718

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File created: C:\Program Files\AhnLab

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

File written: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\BldInfo.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll

Jump to behavior

Source: astx_setup.exe

Static file information: File size 81412376 > 1048576

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifest	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Product.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\aos.sld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmp	Jump to behavior

Source: astx_setup.exe

Static PE information: certificate valid

Source: astx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2413738502.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astx_setup.exe PID: 6348, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FB580 push ecx; ret	0_2_100FB593
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010585D push ecx; ret	0_2_10105870
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144

PE file contains sections with non-standard names

Source: medvphku.dll.6.dr	Static PE information: section name: .detourc
Source: medvphku.dll.6.dr	Static PE information: section name: .detourd
Source: medvphku.dll.6.dr	Static PE information: section name: .UPX0
Source: medvphku.dll0.6.dr	Static PE information: section name: .detourc
Source: medvphku.dll0.6.dr	Static PE information: section name: .detourd
Source: medvphku.dll0.6.dr	Static PE information: section name: .UPX0
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .detourc
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .detourd
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .UPX0
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .detourc
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .detourd
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .UPX0
Source: trueeyesu.dll.6.dr	Static PE information: section name: .detourc
Source: trueeyesu.dll.6.dr	Static PE information: section name: .detourd
Source: trueeyesu.dll.6.dr	Static PE information: section name: .UPX0
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .detourc
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .detourd
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .UPX0
Source: ScrMon32.dll.6.dr	Static PE information: section name: .ScrmonS
Source: ScrMon32.dll0.6.dr	Static PE information: section name: .ScrmonS
Source: Ark64.dll.6.dr	Static PE information: section name: text
Source: Ark64.dll0.6.dr	Static PE information: section name: text

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_101101FA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_101101FA

Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.008144709647387
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.008144709647387
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.097619293313276
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.097619293313276
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.030662826386985
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.030662826386985

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll	Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ATampt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\AhnIEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnIEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnI2t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1000B0F4 AhnIEx_SetMode,AhnIEx_GetMode,AhnIEx_GetMode,AhnIEx_GetMode,_memset,AhnIEx_IsWinNT,AhnIEx_IsWinNT,AhnIEx_IsWinNT,GetPrivateProfileStringW,

0_2_1000B0F4

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txt	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mkd2Nadr

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100136B9

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: KeServiceDescriptorTable

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1001D082 GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,FreeLibrary,_memset,

0_2_1001D082

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)

Source: C:\Users\user\Desktop\astx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED
Source: Yara match	File source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\astx_setup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\astx_setup.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_10007633
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_1000776E
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_100157E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,	0_2_10007A49
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007AAA FindFirstFileW,FindClose,	0_2_10007AAA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_10009FBA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,	0_2_100086D8

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp\	Jump to behavior

Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware View Agent
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] called0
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: setupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service.\AkMsgCtrl.cpp[CAkMsgCtrl::Initialize][CAkMsgCtrl::Initialize] _beginthreadex m_hAliveThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hProcessingThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hWaitingThread=%x, nThreadId=%x[CAkMsgCtrl::Finalize][CAkMsgCtrl::AliveThread][CAkMsgCtrl::WaitingThread]\\.\pipe\session(%d)nzbrco(%d)[CAkMsgCtrl::Callback] pRequest == NULL%s[CAkMsgCtrl::ProcessingThread]commandtypefilefilepathrbcommandseqe2e_inite2e_starte2e_cleare2e_focuse2e_blure2e_stopget_datae2e_alivee2e_uninite2e_unloade2e_gethashe2e_gettexte2e_settexte2e_forminite2e_formgetsdk_getenctext[CAkMsgCtrl::ProcessingThread] Unknown Request=%sACKresultpageid[CAkMsgCtrl::OnE2EUninit] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EUnload] pInstance == NULL, IsWindow(hwndFocus=%x) == %de2e_inputidnamee2e_typeurlhwndvAlgcustcodeak_drvnosptw_vkeyw_kstr0call_settextcall_gettextvm_env1formmaxlengthtxtmsktypee2e_inputtype[CAkMsgCtrl::OnE2EFocus] pE2EInput == NULL21password[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, hwndFocus=%x[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, IsWindow(hwndFocus=%x) == false[CAkMsgCtrl::OnE2EFocus] Updated pE2EWindow->m_hwndFocus(%x) to hFocus(%x)[CAkMsgCtrl::OnE2EBlur] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EBlur] ignored, still focused [CAkMsgCtrl::OnE2EStop] pInstance == NULL, IsWindow(hwndFocus=%x) == %dalgids1names1ids2names2uniqcert1cert2utimenorsa&=e2e_data2e2e_data1[CAkMsgCtrl::OnE2EGetHash] pE2EInput == NULL[CAkMsgCtrl::OnE2EGetHash] strHash(empty)hashwizvera_key[CAkMsgCtrl::OnE2EGetText] pE2EInput == NULL2231[CAkMsgCtrl::OnE2EGetText] not allowed, m_strE2EType=%s[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Key is empty.text[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Encrypt failed.e2eformnoenc[CAkMsgCtrl::OnE2ESetText] pE2EInput == NULLe2e_datancertversvre2e_form1e2e_form2[CAkMsgCtrl::OnE2EFormGet] pE2EInput == NULLcustomcoderandom[CAkMsgCtrl::OnSDKGetEncText] E2EMGR.GetEncTextStr() failed.getenctext.\apihook.cpphModuleHandleszExportAPI[HookFreeCodeGetProcAddress] EXCEPTION_EXECUTE_HANDLERpbMemBufpbRawBuf[GetOrgCodeFromFile] GetModuleHandle failed(errno=%ld,%s)dwRvaAddr > 0[GetOrgCodeFromFile] CreateFileA failed(errno=%ld,%s)[GetOrgCodeFromFile] CreateFileMapping failed(errno=%ld)[GetOrgCodeFromFile] MapViewOfFile failed(errno=%ld)[GetOrgCodeFromFile] ReadFile failed(errno=%ld)CallWindowProcWCallWindowProcAuser32.dll.\CallWindowProcApiHook.cppCCallWindowProcApiHook::Hook_CallWindowProcA FF SetSafeWndProc lpPrevWndFunc[0x%08x]xul.dllCCallWindowProcApiHook::Hook_
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \\.\pipe\nzsesspipeserver..\Common\NzSessMessageMgr.cpp[CNzSessMessageMgr::CNzSessMessageMgr] CAccessUtility::CreateEveryoneAccessibleSecurityDescriptor() failed.{7D33F21A-8B4E-4c90-B80D-227DBF687A4E}NULL != m_hSyncMutex[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::Connect() failed. error=%dCNzSessMessageMgr::SendSdkEstmMessage[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::Connect() failed. error=%dNULL != pSecureMsg[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::Connect() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::Connect() failed.xdigitwuppersspacepunctprintlowergraphdigitdcntrlblankalphaalnumteamviewervncrc40app.exercengmgru.exeManufacturerModelProduct\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/..\Common\PcLogGatherer.cpp[CPcLogGatherer::Reload] m_hReloadThread=%x, m_nReloadThreadID=%d[CPcLogGatherer::Reload] PcLog is already reloadingCPcLogGatherer::ReloadInternalPrivIP%dGatewayIP%dGatewayIPIP_ETH0_PRIV_YNIP_ETH1_PRIV_YNIP_ETH2_PRIV_YN0.0.0.0ActiveGWIPPrivIP1PrivIP2PrivIP3McAdr%dMAC_ORG_ETH%dFORGERY_MAC_ETH%d_YNJuniper Network Connect Virtual Adapter%02X-%02X-%02X-%02X-%02X-%02X00-00-00-00-00-00McAdr%dFORGERY_MAC_YNVpnYnVpnIPVpnCntryCdIP_VPN_LCALUSE_VPNVPN_N_COUNTRY_CODEVPN_NIPWin32_BaseBoardSerialNumberMbSerial_VMMbSerial%MbProductNoMbManufacturerCustomHdSerial[CPcLogGatherer::UseCustomHDSerial] dwCustomHdSerial=%dHdSerial_VMHdSerialWMINOTSUPPORTEDHdSerial2HdSerial3Win32_DiskDriveDeviceIDphysicaldrive0HdModelDISKSERIALHdSerial1_NHHdSerial2_NHHdSerial3_NHWin32_PhysicalMediaTagphysicaldrive%d00000000000000000000UsbSerial%dSYSTEM\CurrentControlSet\services\USBSTOR\EnumCountWin32_OperatingSystemOSType%02xOsTypeCdOsVerCdOSLanguage%04xOsLangCdServicePackMajorVersionOsSpCdSOFTWARE\Microsoft\CryptographyMachineGuidOsGuidSYSTEM\CurrentControlSet\Control\Terminal ServerfDenyTSConnectionsOsRemoteYnSYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileEnableFirewallDoNotAllowExceptionsOsFwStupCd03OS_FIREWALL_CD0102%04d%02d%02dLogDate%02d%02d%02d%03ldLogTime1.0LogVerPrxyUseYnP_INFPrxyIPPrxyIP_sz15PrxyCntryCdPRXY_LCAL[CPcLogGatherer::GetPcLog] m_bTimeoutReload = TRUESoftware\AhnLab\Safe Transaction\pl[CPcLogGatherer::GetPcLog] Base64Decode error=%d[CPcLogGatherer::SetPcLog] skip (%s)[CPcLogGatherer::SetPcLog] Base64Encode error=%d[CPcLogGatherer::SetPcLog] reg.Create error=%d[CPcLogGatherer::SetPcLog] %s=%src50app.exercsemgru.exercuimgru.exeRD\|RSNORemoteEnvREMOTE_YNIS_REMOTEMadr%dValidYn^[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}$^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$Win32_keyboardDescriptionUSBPS/2%02dKbdType10-%03d-%03d-%02dOS_VSN_CD10OS_CD00OS_SPVSN99MSIEEdge60Firefox20rvOpera50OPRChromeEdg7030Safari40%s-%03d-%03d-000-000BwVsnCdBR_VERBR_LONG_NAMEBwVsnCd2%03d%s-%s-000Internet ExplorerMS EdgeEtcPubIPPubIPCntryCdENAT_ERR_CDW_COUNTRY_CODECPcLogGatherer::InitializeDBDB\ipcntry.db[CPcLogGatherer::InitializeDB] error : sqlite3_open(%s)CPcLogGatherer::SetCountryCodeselect CODE from t where START <= %u and END >= %uSTS_DHACKSTS_KEYLOG_YNELAPSED_TMCpuId_VMCpuIdCPUID0CPUID1Win32_ProcessorProcessorIdNameCpuNameCaptionCpuCaptionCpuId_NH%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02XSOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCardsServiceName%s=%s\\.\[CPcLogGatherer::GetNICMacAddress] CreateFileA(%s) error[CPcLogGatherer::GetSecuLogCount] Sdk Mode can't gathered SecuLog[CPcLogGatherer::GetSecuLogCount] cLogDB.Initialize() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogInterface() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogDataInterface() erro
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] calledH
Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: optsvm_parallels[checVirtualMachine] vm_parallels=%d(result=%d)[procIsVmEnv] in1vm_env[procIsVmEnv] out (result:%s)[procIsRemoteEnv] inremote_env[procIsRemoteEnv] out (result:%s)[procIsVmRemoteEnv] invm_remote_env[procIsVmRemoteEnv] out (result:%s)[procIsOfflineMaster] in\|bldnum[procIsOfflineMaster] out (result:%s, strBldNum : %s)[CResponseASTx2::procIsNotSupportOS] ak=[%d], fw=[%d], pb=[%d], pcs=[%d]Description[CResponseASTx2::procIsNotSupportOS] QueryDWORDValue lRet=%d, dwDesc=0x%08x[CResponseASTx2::procIsNotSupportOS] %s127.0.0.10.0.0.0ASTX2application/javascript[handleTCPClientSSL] SSL is null
Source: V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] calledL
Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: serverteamviewervncWM_AKHOOK_SETSTATE\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service%%%result\\.\pipe\session(%d)stsess[requestPIP] Connect failed(errno=%d,%s)[requestPIP] WriteAndBinRet failed(errno=%d,response=%d(%d),%s)rnd{v:%s,s:%s}{method:%d,salt:%d,stamp:%s}dataACKurlstampnorsa{method:%d,salt:%d,norsa:%d,stamp:%s}NCK[procCheckServer] result=%s,method=%dstepcert%dcert[procSetCert] result=%s,nstep=%d[procSetProtect] referer=%scustomeridakfwpbpcs[procSetProtect] customerid=[%s], ak=[%d], fw=[%d], pb=[%d], pcs=[%d][procSetProtect] customerid is invalidNSPfuncdynplycommand[procSetProtect] result=%sncert[procGetData] ncert=%d,norsa=%dcert1cert2pageid[procGetData] result=%s,pageid=%snlogoptbrowseripaddr[procGetPCLOGData] nlog=%d,norsa=%d,ipaddr=%s,browser=%s,opt=%s[procGetPCLOGData] useragent=%suseragent[procGetPCLOGData] result=%s(%.3fs)3stsvrsvr[procE2Estart] svr=%s,url=%s,useragent=%s, browser=%s,pageid=%sEGOTEG0hwnd[procE2Estart] response(%s)[procE2Estart] failed(%s)e2e_focuse2e_blur?[CResponseASTx2::getHost] AfxParseURL error(%d)https://%shttp://%s[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::CheckServer() failed. error=%d[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::Connect() failed. error=%d[CResponseASTx2::PostAIPScriptInfo] version=%s[CResponseASTx2::PostAIPScriptInfo] url=%s[CResponseASTx2::PostAIPScriptInfo] error=%d[CResponseASTx2::IsProtectedSite] %s, nIsProtectedSite=%d[CResponseASTx2::IsForgeryMonitorSite] %s, nIsScriptMonitorSite=%d[CResponseASTx2::IsForgeryScript] csUrl IsEmpty == true[CResponseASTx2::IsForgeryScript] csUrl=%s[CResponseASTx2::IsForgeryScript] csHost=%s[CResponseASTx2::IsForgeryScript] csObjectName=%s[CResponseASTx2::IsForgeryScript] false, %s[CResponseASTx2::IsForgeryScript] true, %s[procHello] csAgent=%s[procHello] csReferer=%s[procHello] csScriptUrl=%s[procHello] csScriptVer=%s[procHello] IsProtectedSite false - %sastx2.min.js[procHello] IsForgeryScript true - %snoenc[procE2EFormInit] ncert=%d,norsa=%d,noenc=%d[procE2EFormInit] result=%s,pageid=%s[CResponseASTx2::GetResponseData] failed SplitSubData %s/ASTX2/helloalivee2e_alivecheckset_certset_protectget_dataget_pclogis_vm_envis_remote_envis_vm_remote_enve2e_starte2e_inite2e_gettexte2e_settexte2e_cleare2e_stope2e_uninite2e_unloade2e_gethashe2e_forminite2e_formgetis_offline_masteris_not_support_oscallbacktry{%s(%s);}catch(e){}%s(%s)[getCurrentFocusWindowsHandleEdge] less-than WIN10(osver=%d)ApplicationFrameWindow[getCurrentFocusWindowsHandleEdge] pid=%d,hwnd=0x%08X,class=%s
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\Ahnlab\ASP\MyKeyDefense 2.5CheckDataFile nMode[%d] bRet[%d]IPTip_Main_WindowGetExtendedTcpTable\iphlpapi.dll\StringFileInfo\%04x%04x\%sCompanyName\VarFileInfo\TranslationWorkstationAgent.exeWorkStationAgentCitrix\Virtual Desktop AgentSOFTWARE\Citrix\VirtualDesktopAgentwinvnc.exevboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dllProductModelManufacturerWQLSELECT * FROM Win32_BaseBoardROOT\CIMV2macappleCCheckEnv HasConflictingBoard=%d.CCheckEnv NotSupportOs=%d.CCheckEnv Remote=%d.IsVirtualMachine, dwType=%dLastPolicy@
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QEMU-GA
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] called
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\WinEventHook.cpp[CWinEventHook::Initialize] tid(%d) is recycled.[CWinEventHook::Initialze] hwnd=%x, pData->hHook=%08xhHook[CWinEventHook::Initialze] SetWinEventHook failed[CWinEventHook::Uninitialize] pData->m_hHook=%08x[CWinEventHook::Uninitialize] unhook failed, pData->m_hHook=%08x[CWinEventHook::WinEventProcFocus] ByPass, IsProhibited true[CWinEventHook::WinEventProcFocus] CLASS_IE_SHDOCVW ignored, role=%08x, hwnd=%08x[CWinEventHook::WinEventProcFocus] non-client, role=%08x, hwnd=%08x..\Common\ak_controller.cppm_hSession != NULLpByte16 != NULLpIV16 != NULL..\Common\ak_controller.cpppByte != NULLpIV != NULL%d.%d.%d.%d0.0.0.0[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Success[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Error [0x%08x][CController::Terminate] Mkd2Ctl_Terminate() fail.(0x%08x)[CController::PsPageInInit] Mkd2Ctl_PsPageInInit() fail.(0x%08x)[CController::PsPageInInit] Changed to unprotected mode[CController::PsPageInInit] Mkd2Ctl_AddFilterMode, dwResult=%d[CController::PsPageOutCleanUp] Mkd2Ctl_PsPageOutCleanUp() fail.(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(%ld)dwError == 0[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD20) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD26) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD25) error(0x%08x)[CController::GetKeyActionTable] Mkd2Ctl_Get_Rule_VersionEx error=%d[CController::SetKeyActionTable] GetKeyActionTable error(0x%08x)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld) error(0x%08x)[CController::SetAkCtlLogPath] log skipAkCtl.log[CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath szLogPath[%s][CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath Failed[0x%08x][CController::PreInitialize] IsVirtualMachine, dwVMType=%x[CController::PreInitialize] Running on server OS. Skip using AK driver
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::SetDriverParam] lRet=%d, dwParam=%x, dwInstallDate=%xParam1SYSTEM\CurrentControlSet\Services\Mkd2KfNtSYSTEM\CurrentControlSet\Services\Mkd3KfNtInstallDateSOFTWARE\Microsoft\Windows NT\CurrentVersion[CDriverLoaderForVista::UnSetDriverParam] lRet=%dvboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dll
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine, dwType=%d
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exe
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exeP
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver bypass.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_StartSecureLogAndSetPath failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop failed. (0x%x)[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop leave.[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop enter.[CDriverLoaderForVista::CreateDriverCtrlThread] _beginthreadex failed. %d[CDriverLoaderForVista::LoadDriver] already loaded.[CDriverLoaderForVista::LoadDriver] called.[CDriverLoaderForVista::UnloadDriver] not loaded.[CDriverLoaderForVista::UnloadDriver] called.
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_100FB0BA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_101101FA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100151A4 lstrcmpiW,AllocateAndInitializeSid,GetLastError,HeapAlloc,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetLastError,GetFileSecurityW,GetLastError,GetProcessHeap,HeapAlloc,GetFileSecurityW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetAclInformation,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,GetLastError,GetAce,GetLastError,EqualSid,AddAce,GetLastError,AddAccessAllowedAce,GetLastError,GetAce,GetAce,GetLastError,AddAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetModuleHandleW,GetProcAddress,GetSecurityDescriptorControl,GetLastError,GetLastError,SetFileSecurityW,GetLastError,

0_2_100151A4

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_100FB0BA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FD98A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_100FD98A
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010FF2F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_1010FF2F

HIPS / PFW / Operating System Protection Evasion

Found driver which could be used to inject code into processes

Source: medvpdrv.sys.6.dr	Static PE information: Found potential injection code
Source: medvpdrv.sys0.6.dr	Static PE information: Found potential injection code

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,

0_2_100FA845

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100151A4

Source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: .\FunctionHook.cpp[HookFunction] Fatal error : Can't add FunctionHookInfo.\FunctionHook.cpp[HookFunction] Can't Hook the %S %p.\FunctionHook.cpp[HookFunction] Can't find the %S's address.\FunctionHook.cpp[HookFunction] Can't get the %S's address.\FunctionHook.cpp[HookFunction] Can't load the %S.\FunctionHook.cpp[FH_FindCodePattern] exception, Failed to find patternuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeRtlRetrieveNtUserPfnntdll.dllRtlRetrieveNtUserPfnntdll.dllNtQueryInformationProcessntdll.dllNtQueryInformationProcessntdll.dll%02X.\GlobalHookProtect.cppAtsVerifyExternalFile(CAT) - file=[%s], result=[0x%08X].\GlobalHookProtect.cpp[AhnLabSignatureCheckFunc] ptszSourceFile is NULL.\GlobalHookProtect.cppAtsVerifyInternalFile() - file=[%s], result=[0x%08X].\GlobalHookProtect.cpp[AhnClientLoadLibrary] PROTECT >> %sATamptU.dll.\GlobalHookProtect.cpp[AhnClientLoadLibrary] Exception !!ATamptU.dllATamptU.dllATamptU.dllATamptU.dllATamptU.dlluser32.dllgSharedInfo.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] Find_pfnClient Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] FH_HookFunction Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] GetModuleHandleW Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] Initialize.\GlobalHookProtect.cpp[GlobalHookProtect_Finalize] Finalize.\GlobalHookProtect.cpp[GlobalHookProtect_Start] Start.\GlobalHookProtect.cpp[GlobalHookProtect_Stop] Stopuser32.dllUserClientDllInitializeuser32.dllPeekMessageAuser32.dllPeekMessageWuser32.dllGetMessageAuser32.dllGetMessageWuser32.dllSendMessageAuser32.dllSendMessageWuser32.dllPostMessageAuser32.dllPostMessageWuser32.dllDispatchMessageAuser32.dllDispatchMessageWuser32.dllPostQuitMessageShell_TrayWndDV2ControlHostTaskListThumbnailWndWindows.UI.Core.CoreWindow

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: GetLocaleInfoA,		0_2_10111771
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_1000C1D0

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1010B0DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_1010B0DB

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1010BB2E __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_1010BB2E

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,

0_2_100FA845

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100151A4

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
webclinic.ahnlab.com.cdngc.net	101.79.212.66	true
gms.wip.ahnlab.com	34.249.110.217	true
webclinic.ahnlab.com	unknown	unknown
gms.ahnlab.com	unknown	unknown

AV Detection

Antivirus or Machine Learning detection for unpacked file

Source: 6.3.V3Medic.exe.5b54600.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.3.V3Medic.exe.5ab0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen7
Source: 6.3.V3Medic.exe.6065a80.14.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1007F680 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

0_2_1007F680

Compliance

Uses 32bit PE files

Source: astx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txt	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifest	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Product.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\aos.sld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmp	Jump to behavior

Source: astx_setup.exe

Static PE information: certificate valid

Source: astx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_10007633
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_1000776E
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_100157E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,	0_2_10007A49
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007AAA FindFirstFileW,FindClose,	0_2_10007AAA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_10009FBA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,	0_2_100086D8

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp\	Jump to behavior

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%1/CertEnroll/%1_%3%4.crtfile://
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%1/CertEnroll/%3%8%9.crlfile://
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///..
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://allyoucanleet.com/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://broofa.com/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng3.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0Y
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: V3Medic.exe, 00000006.00000003.1378099121.0000000003240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://download.ahnlab.com/down/ahnreport/AhnRpt.exe
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gladman.plushost.co.uk/oldsite/AES/index.php
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/)
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://json.org/).
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mathiasbynens.be/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mattmahoney.net/dc/zpaq.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mattmahoney.net/zpaq/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ncompress.sourceforge.net/
Source: astx_setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng30V
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.ahnlab.com.
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng3ocsp.crt04
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://site.icu-project.org/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.jp/projects/lha/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.net/p/infozip/patches/18/
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wakaba.c3.cx/s/apps/unarchiver.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.7-zip.org/download.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.7-zip.org/sdk.html
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aarongifford.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aescrypt.com/
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=en_US2http://www.ahnlab.com/redir/1101.rdir?locale=en_U
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=ko_KR2http://www.ahnlab.com/redir/1101.rdir?locale=ko_K
Source: V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=sp_ES2http://www.ahnlab.com/redir/1101.rdir?locale=sp_E
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.arjsoftware.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bzip.org/downloads.html
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cabextract.org.uk/libmspack/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.compression.ru/ds/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/pub/infozip/license.html.
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kmonos.net/lib/xacrett.en.html
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.apple.com/apsl/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.apple.com/source/xnu/xnu-1486.2.11/bsd/vfs/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)MD5
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rarlab.com/rar_add.htm
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wavpack.com/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winace.com/
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/zlib_license.html
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://yuilibrary.com/license/
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%8
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.bandisoft.com
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://code.bandisoft.com/
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/client
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/relay
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/healthcheck
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/zopfli
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/necolas/normalize.css/
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wycats/handlebars.js
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wycats/handlebars.js)
Source: V3Medic.exe, 00000006.00000003.1486462149.0000000000611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jp.ahnlab.com/site/support/qna/qnaAddForm2.do;
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/client
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relay
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relayhttps://mgactivation.ahnlab.com/api/auth/v
Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/healthcheck
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://opensource.ahnlab.com
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.do
Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bandisoft.com
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown

DNS traffic detected: queries for: gms.ahnlab.com

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10081531 WSASetLastError,recv,WSAGetLastError,

0_2_10081531

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: V3Medic.exe PID: 6624, type: MEMORYSTR

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\NSIS.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca2.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca.der	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\NSIS.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_arm64.nz entropy: 7.99987389692	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_com.nz entropy: 7.99992425007	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_nt32.nz entropy: 7.99994581027	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_x64.nz entropy: 7.99996367978	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_ARM64.nz entropy: 7.99997967236	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Common.nz entropy: 7.99995972837	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_ARM64.nz entropy: 7.99992330835	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_NT32.nz entropy: 7.99991798674	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_X64.nz entropy: 7.99993900021	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_NT32.nz entropy: 7.99995451457	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Res.nz entropy: 7.99808528554	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_X64.nz entropy: 7.99996849744	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_ARM64.nz entropy: 7.99962010979	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_NT32.nz entropy: 7.99968840658	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_X64.nz entropy: 7.9996709535	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_ARM64.nz entropy: 7.99997224914	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_NT32.nz entropy: 7.99997283206	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_X64.nz entropy: 7.99997706581	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_ARM64.nz entropy: 7.99993645268	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_NT32.nz entropy: 7.99993597151	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_X64.nz entropy: 7.99993716897	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_ARM64.nz entropy: 7.99974501255	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_NT32.nz entropy: 7.99971520737	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_X64.nz entropy: 7.99975169927	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_ARM64.nz entropy: 7.99851995659	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_NT32.nz entropy: 7.99884081465	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_X64.nz entropy: 7.99914416454	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Update.nz entropy: 7.99991954609	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\asdahc.nz entropy: 7.99403404133	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\geo.asd entropy: 7.99435509055	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\geo.asd entropy: 7.99435509055	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\gof.dat entropy: 7.99341158373	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\gof.dat entropy: 7.99341158373	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msg.dat entropy: 7.99989526323	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\msg.dat entropy: 7.99989526323	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Prtect.dat entropy: 7.99468772612	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat entropy: 7.99468772612	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tnnipsig.rul entropy: 7.9985827226	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul entropy: 7.9985827226	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\defcfg.db entropy: 7.99346459276	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db entropy: 7.99346459276	Jump to dropped file

System Summary

Uses 32bit PE files

Source: astx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000D6BA AI_ExitWindows,AhnIEx_ExitWindows,		0_2_1000D6BA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1001869A AhnIEx_ExitWindows,AhnIEx_IsWinNT,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,		0_2_1001869A

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File created: C:\Windows\AhnInst.log

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EF060	0_2_100EF060
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A7080	0_2_100A7080
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101150A7	0_2_101150A7
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101130A7	0_2_101130A7
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B30B0	0_2_100B30B0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A30E0	0_2_100A30E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B10E0	0_2_100B10E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B110	0_2_1009B110
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A51C0	0_2_100A51C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C7320	0_2_100C7320
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3320	0_2_100F3320
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009F340	0_2_1009F340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B360	0_2_1009B360
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9380	0_2_100A9380
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A53B0	0_2_100A53B0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A1410	0_2_100A1410
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AB440	0_2_100AB440
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3440	0_2_100F3440
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3450	0_2_100A3450
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3488	0_2_100F3488
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100734F0	0_2_100734F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5550	0_2_100A5550
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B15E0	0_2_100B15E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_101135EB	0_2_101135EB
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DF640	0_2_100DF640
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9650	0_2_100A9650
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B3700	0_2_100B3700
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3750	0_2_100A3750
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5760	0_2_100A5760
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008D780	0_2_1008D780
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009F7E0	0_2_1009F7E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DF7F0	0_2_100DF7F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B1800	0_2_100B1800
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F58F0	0_2_100F58F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009B920	0_2_1009B920
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EF940	0_2_100EF940
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AD970	0_2_100AD970
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010D98B	0_2_1010D98B
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F3A60	0_2_100F3A60
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5A70	0_2_100A5A70
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F5B10	0_2_100F5B10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10113B2F	0_2_10113B2F
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1009FBF0	0_2_1009FBF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A9C50	0_2_100A9C50
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C3C80	0_2_100C3C80
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100DFC80	0_2_100DFC80
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1003DCD0	0_2_1003DCD0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E3CE0	0_2_100E3CE0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E7CF0	0_2_100E7CF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008DD00	0_2_1008DD00
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10073D10	0_2_10073D10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C1D20	0_2_100C1D20
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3D30	0_2_100A3D30
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F5D50	0_2_100F5D50
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5D90	0_2_100A5D90
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A3DF0	0_2_100A3DF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FBDF1	0_2_100FBDF1
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C3E10	0_2_100C3E10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C1EF0	0_2_100C1EF0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10073F10	0_2_10073F10
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A5F20	0_2_100A5F20
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B1FA0	0_2_100B1FA0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10105FC2	0_2_10105FC2
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008E058	0_2_1008E058
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A4050	0_2_100A4050
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2080	0_2_100A2080
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AC0E0	0_2_100AC0E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F60E0	0_2_100F60E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA130	0_2_100AA130
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A01A0	0_2_100A01A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F41C0	0_2_100F41C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008A200	0_2_1008A200
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008A229	0_2_1008A229
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F0220	0_2_100F0220
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10114227	0_2_10114227
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A42A0	0_2_100A42A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FC2C6	0_2_100FC2C6
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E8300	0_2_100E8300
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2340	0_2_100A2340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100F4340	0_2_100F4340
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100EE350	0_2_100EE350
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100D0370	0_2_100D0370
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008E390	0_2_1008E390
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008C3E0	0_2_1008C3E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A63F0	0_2_100A63F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA3F0	0_2_100AA3F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10074420	0_2_10074420
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B4430	0_2_100B4430
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B6490	0_2_100B6490
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A44A0	0_2_100A44A0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100524D0	0_2_100524D0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A0560	0_2_100A0560
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100C45C0	0_2_100C45C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1008C5F0	0_2_1008C5F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B4610	0_2_100B4610
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100D6610	0_2_100D6610
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A8630	0_2_100A8630
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A2680	0_2_100A2680
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FC69A	0_2_100FC69A
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100B2690	0_2_100B2690
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100A46C0	0_2_100A46C0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100AA6E0	0_2_100AA6E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100506F0	0_2_100506F0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100E0770	0_2_100E0770
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000A7B7	0_2_1000A7B7
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002	6_3_00635002
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00642484	6_3_00642484
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644688	6_3_00644688
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064195B	6_3_0064195B
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00644909	6_3_00644909
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640786	6_3_00640786
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_0064354C	6_3_0064354C
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_006435EA	6_3_006435EA
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00640BF2	6_3_00640BF2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10105818 appears 55 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FB0D0 appears 620 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FAF3D appears 44 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10051590 appears 84 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FADEC appears 263 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 10017248 appears 51 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F8A0 appears 105 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F950 appears 374 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F970 appears 49 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1004F8E0 appears 81 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 100FAADF appears 39 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1000A6E4 appears 49 times
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: String function: 1005DA30 appears 48 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10006383 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,_memset,GetLastError,GetLastError,CreateProcessAsUserW,GetLastError,GetLastError,

0_2_10006383

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: astx_setup.exe, 00000000.00000002.2487880272.000000001017D000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: OriginalFilenameAhnIEx.dll( vs astx_setup.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90enu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Section loaded: mfc90loc.dll	Jump to behavior

Contains functionality to delete services

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_10013A39

Source: C:\Users\user\Desktop\astx_setup.exe

File read: C:\Users\user\Desktop\astx_setup.exe

Jump to behavior

Source: astx_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\astx_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\astx_setup.exe C:\Users\user\Desktop\astx_setup.exe
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_1001869A

Source: C:\Users\user\Desktop\astx_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nspB39D.tmp

Jump to behavior

Source: classification engine

Classification label: sus34.rans.troj.evad.winEXE@16/713@3/0

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100162BF __EH_prolog3,CoCreateInstance,_wcsrchr,

0_2_100162BF

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,GetLastError,		0_2_100135A9
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: AI_CreateService2,		0_2_1000E5CE

Source: C:\Users\user\Desktop\astx_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1000D788 AI_GetDiskFreeSpace,AhnIEx_GetDiskFreeSpace,AhnIEx_snprintf,

0_2_1000D788

Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s;
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100136B9

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_02
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_mutex_ahni2_log_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:304:WilStaging_02
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_SingleInstance_{FF56B785-EF71-461B-AF11-9891E8303723}_ASTX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_02
Source: C:\Users\user\Desktop\astx_setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_Log_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:304:WilStaging_02

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_10019718 LoadResource,LockResource,SizeofResource,

0_2_10019718

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File created: C:\Program Files\AhnLab

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

File written: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\BldInfo.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

File opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll

Jump to behavior

Source: astx_setup.exe

Static file information: File size 81412376 > 1048576

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\image	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\table	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifest	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Product.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\aos.sld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Directory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmp	Jump to behavior

Source: astx_setup.exe

Static PE information: certificate valid

Source: astx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2413738502.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: astx_setup.exe PID: 6348, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FB580 push ecx; ret	0_2_100FB593
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010585D push ecx; ret	0_2_10105870
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00635002 pushad ; retn 0000h	6_3_00635AF1
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Code function: 6_3_00631142 push FFFFFF89h; retf	6_3_00631144

PE file contains sections with non-standard names

Source: medvphku.dll.6.dr	Static PE information: section name: .detourc
Source: medvphku.dll.6.dr	Static PE information: section name: .detourd
Source: medvphku.dll.6.dr	Static PE information: section name: .UPX0
Source: medvphku.dll0.6.dr	Static PE information: section name: .detourc
Source: medvphku.dll0.6.dr	Static PE information: section name: .detourd
Source: medvphku.dll0.6.dr	Static PE information: section name: .UPX0
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .detourc
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .detourd
Source: medvphkuw6.dll.6.dr	Static PE information: section name: .UPX0
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .detourc
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .detourd
Source: medvphkuw6.dll0.6.dr	Static PE information: section name: .UPX0
Source: trueeyesu.dll.6.dr	Static PE information: section name: .detourc
Source: trueeyesu.dll.6.dr	Static PE information: section name: .detourd
Source: trueeyesu.dll.6.dr	Static PE information: section name: .UPX0
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .detourc
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .detourd
Source: trueeyesu.dll0.6.dr	Static PE information: section name: .UPX0
Source: ScrMon32.dll.6.dr	Static PE information: section name: .ScrmonS
Source: ScrMon32.dll0.6.dr	Static PE information: section name: .ScrmonS
Source: Ark64.dll.6.dr	Static PE information: section name: text
Source: Ark64.dll0.6.dr	Static PE information: section name: text

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_101101FA

Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.008144709647387
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.008144709647387
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.097619293313276
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.097619293313276
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.030662826386985
Source: initial sample	Static PE information: section name: .UPX0 entropy: 7.030662826386985

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll	Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ATampt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\AhnIEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnIEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnI2t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1000B0F4 AhnIEx_SetMode,AhnIEx_GetMode,AhnIEx_GetMode,AhnIEx_GetMode,_memset,AhnIEx_IsWinNT,AhnIEx_IsWinNT,AhnIEx_IsWinNT,GetPrivateProfileStringW,

0_2_1000B0F4

Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txt	Jump to behavior
Source: C:\Users\user\Desktop\astx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File created: C:\Program Files\AhnLab\Safe Transaction\license.txt	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mkd2Nadr

Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100136B9

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: KeServiceDescriptorTable

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_1001D082

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)

Source: C:\Users\user\Desktop\astx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED
Source: Yara match	File source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\astx_setup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\klb64mkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AupASD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AhnRghNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW8.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2Nadr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonHKnt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSess.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\V3ElamDr.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\HsbDrv64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2bthf.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW7.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Dropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\astx_setup.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_10007633
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,	0_2_1000776E
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_100157E0
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,	0_2_10007A49
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10007AAA FindFirstFileW,FindClose,	0_2_10007AAA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,	0_2_10009FBA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,	0_2_100086D8

Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	File opened: C:\Program Files\AhnLab\Safe Transaction\Temp\	Jump to behavior

Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware View Agent
Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] called0
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: setupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service.\AkMsgCtrl.cpp[CAkMsgCtrl::Initialize][CAkMsgCtrl::Initialize] _beginthreadex m_hAliveThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hProcessingThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hWaitingThread=%x, nThreadId=%x[CAkMsgCtrl::Finalize][CAkMsgCtrl::AliveThread][CAkMsgCtrl::WaitingThread]\\.\pipe\session(%d)nzbrco(%d)[CAkMsgCtrl::Callback] pRequest == NULL%s[CAkMsgCtrl::ProcessingThread]commandtypefilefilepathrbcommandseqe2e_inite2e_starte2e_cleare2e_focuse2e_blure2e_stopget_datae2e_alivee2e_uninite2e_unloade2e_gethashe2e_gettexte2e_settexte2e_forminite2e_formgetsdk_getenctext[CAkMsgCtrl::ProcessingThread] Unknown Request=%sACKresultpageid[CAkMsgCtrl::OnE2EUninit] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EUnload] pInstance == NULL, IsWindow(hwndFocus=%x) == %de2e_inputidnamee2e_typeurlhwndvAlgcustcodeak_drvnosptw_vkeyw_kstr0call_settextcall_gettextvm_env1formmaxlengthtxtmsktypee2e_inputtype[CAkMsgCtrl::OnE2EFocus] pE2EInput == NULL21password[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, hwndFocus=%x[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, IsWindow(hwndFocus=%x) == false[CAkMsgCtrl::OnE2EFocus] Updated pE2EWindow->m_hwndFocus(%x) to hFocus(%x)[CAkMsgCtrl::OnE2EBlur] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EBlur] ignored, still focused [CAkMsgCtrl::OnE2EStop] pInstance == NULL, IsWindow(hwndFocus=%x) == %dalgids1names1ids2names2uniqcert1cert2utimenorsa&=e2e_data2e2e_data1[CAkMsgCtrl::OnE2EGetHash] pE2EInput == NULL[CAkMsgCtrl::OnE2EGetHash] strHash(empty)hashwizvera_key[CAkMsgCtrl::OnE2EGetText] pE2EInput == NULL2231[CAkMsgCtrl::OnE2EGetText] not allowed, m_strE2EType=%s[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Key is empty.text[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Encrypt failed.e2eformnoenc[CAkMsgCtrl::OnE2ESetText] pE2EInput == NULLe2e_datancertversvre2e_form1e2e_form2[CAkMsgCtrl::OnE2EFormGet] pE2EInput == NULLcustomcoderandom[CAkMsgCtrl::OnSDKGetEncText] E2EMGR.GetEncTextStr() failed.getenctext.\apihook.cpphModuleHandleszExportAPI[HookFreeCodeGetProcAddress] EXCEPTION_EXECUTE_HANDLERpbMemBufpbRawBuf[GetOrgCodeFromFile] GetModuleHandle failed(errno=%ld,%s)dwRvaAddr > 0[GetOrgCodeFromFile] CreateFileA failed(errno=%ld,%s)[GetOrgCodeFromFile] CreateFileMapping failed(errno=%ld)[GetOrgCodeFromFile] MapViewOfFile failed(errno=%ld)[GetOrgCodeFromFile] ReadFile failed(errno=%ld)CallWindowProcWCallWindowProcAuser32.dll.\CallWindowProcApiHook.cppCCallWindowProcApiHook::Hook_CallWindowProcA FF SetSafeWndProc lpPrevWndFunc[0x%08x]xul.dllCCallWindowProcApiHook::Hook_
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \\.\pipe\nzsesspipeserver..\Common\NzSessMessageMgr.cpp[CNzSessMessageMgr::CNzSessMessageMgr] CAccessUtility::CreateEveryoneAccessibleSecurityDescriptor() failed.{7D33F21A-8B4E-4c90-B80D-227DBF687A4E}NULL != m_hSyncMutex[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::Connect() failed. error=%dCNzSessMessageMgr::SendSdkEstmMessage[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::Connect() failed. error=%dNULL != pSecureMsg[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::Connect() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::Connect() failed.xdigitwuppersspacepunctprintlowergraphdigitdcntrlblankalphaalnumteamviewervncrc40app.exercengmgru.exeManufacturerModelProduct\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/..\Common\PcLogGatherer.cpp[CPcLogGatherer::Reload] m_hReloadThread=%x, m_nReloadThreadID=%d[CPcLogGatherer::Reload] PcLog is already reloadingCPcLogGatherer::ReloadInternalPrivIP%dGatewayIP%dGatewayIPIP_ETH0_PRIV_YNIP_ETH1_PRIV_YNIP_ETH2_PRIV_YN0.0.0.0ActiveGWIPPrivIP1PrivIP2PrivIP3McAdr%dMAC_ORG_ETH%dFORGERY_MAC_ETH%d_YNJuniper Network Connect Virtual Adapter%02X-%02X-%02X-%02X-%02X-%02X00-00-00-00-00-00McAdr%dFORGERY_MAC_YNVpnYnVpnIPVpnCntryCdIP_VPN_LCALUSE_VPNVPN_N_COUNTRY_CODEVPN_NIPWin32_BaseBoardSerialNumberMbSerial_VMMbSerial%MbProductNoMbManufacturerCustomHdSerial[CPcLogGatherer::UseCustomHDSerial] dwCustomHdSerial=%dHdSerial_VMHdSerialWMINOTSUPPORTEDHdSerial2HdSerial3Win32_DiskDriveDeviceIDphysicaldrive0HdModelDISKSERIALHdSerial1_NHHdSerial2_NHHdSerial3_NHWin32_PhysicalMediaTagphysicaldrive%d00000000000000000000UsbSerial%dSYSTEM\CurrentControlSet\services\USBSTOR\EnumCountWin32_OperatingSystemOSType%02xOsTypeCdOsVerCdOSLanguage%04xOsLangCdServicePackMajorVersionOsSpCdSOFTWARE\Microsoft\CryptographyMachineGuidOsGuidSYSTEM\CurrentControlSet\Control\Terminal ServerfDenyTSConnectionsOsRemoteYnSYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileEnableFirewallDoNotAllowExceptionsOsFwStupCd03OS_FIREWALL_CD0102%04d%02d%02dLogDate%02d%02d%02d%03ldLogTime1.0LogVerPrxyUseYnP_INFPrxyIPPrxyIP_sz15PrxyCntryCdPRXY_LCAL[CPcLogGatherer::GetPcLog] m_bTimeoutReload = TRUESoftware\AhnLab\Safe Transaction\pl[CPcLogGatherer::GetPcLog] Base64Decode error=%d[CPcLogGatherer::SetPcLog] skip (%s)[CPcLogGatherer::SetPcLog] Base64Encode error=%d[CPcLogGatherer::SetPcLog] reg.Create error=%d[CPcLogGatherer::SetPcLog] %s=%src50app.exercsemgru.exercuimgru.exeRD\|RSNORemoteEnvREMOTE_YNIS_REMOTEMadr%dValidYn^[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}$^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$Win32_keyboardDescriptionUSBPS/2%02dKbdType10-%03d-%03d-%02dOS_VSN_CD10OS_CD00OS_SPVSN99MSIEEdge60Firefox20rvOpera50OPRChromeEdg7030Safari40%s-%03d-%03d-000-000BwVsnCdBR_VERBR_LONG_NAMEBwVsnCd2%03d%s-%s-000Internet ExplorerMS EdgeEtcPubIPPubIPCntryCdENAT_ERR_CDW_COUNTRY_CODECPcLogGatherer::InitializeDBDB\ipcntry.db[CPcLogGatherer::InitializeDB] error : sqlite3_open(%s)CPcLogGatherer::SetCountryCodeselect CODE from t where START <= %u and END >= %uSTS_DHACKSTS_KEYLOG_YNELAPSED_TMCpuId_VMCpuIdCPUID0CPUID1Win32_ProcessorProcessorIdNameCpuNameCaptionCpuCaptionCpuId_NH%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02XSOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCardsServiceName%s=%s\\.\[CPcLogGatherer::GetNICMacAddress] CreateFileA(%s) error[CPcLogGatherer::GetSecuLogCount] Sdk Mode can't gathered SecuLog[CPcLogGatherer::GetSecuLogCount] cLogDB.Initialize() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogInterface() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogDataInterface() erro
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] calledH
Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: optsvm_parallels[checVirtualMachine] vm_parallels=%d(result=%d)[procIsVmEnv] in1vm_env[procIsVmEnv] out (result:%s)[procIsRemoteEnv] inremote_env[procIsRemoteEnv] out (result:%s)[procIsVmRemoteEnv] invm_remote_env[procIsVmRemoteEnv] out (result:%s)[procIsOfflineMaster] in\|bldnum[procIsOfflineMaster] out (result:%s, strBldNum : %s)[CResponseASTx2::procIsNotSupportOS] ak=[%d], fw=[%d], pb=[%d], pcs=[%d]Description[CResponseASTx2::procIsNotSupportOS] QueryDWORDValue lRet=%d, dwDesc=0x%08x[CResponseASTx2::procIsNotSupportOS] %s127.0.0.10.0.0.0ASTX2application/javascript[handleTCPClientSSL] SSL is null
Source: V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] calledL
Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: serverteamviewervncWM_AKHOOK_SETSTATE\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service%%%result\\.\pipe\session(%d)stsess[requestPIP] Connect failed(errno=%d,%s)[requestPIP] WriteAndBinRet failed(errno=%d,response=%d(%d),%s)rnd{v:%s,s:%s}{method:%d,salt:%d,stamp:%s}dataACKurlstampnorsa{method:%d,salt:%d,norsa:%d,stamp:%s}NCK[procCheckServer] result=%s,method=%dstepcert%dcert[procSetCert] result=%s,nstep=%d[procSetProtect] referer=%scustomeridakfwpbpcs[procSetProtect] customerid=[%s], ak=[%d], fw=[%d], pb=[%d], pcs=[%d][procSetProtect] customerid is invalidNSPfuncdynplycommand[procSetProtect] result=%sncert[procGetData] ncert=%d,norsa=%dcert1cert2pageid[procGetData] result=%s,pageid=%snlogoptbrowseripaddr[procGetPCLOGData] nlog=%d,norsa=%d,ipaddr=%s,browser=%s,opt=%s[procGetPCLOGData] useragent=%suseragent[procGetPCLOGData] result=%s(%.3fs)3stsvrsvr[procE2Estart] svr=%s,url=%s,useragent=%s, browser=%s,pageid=%sEGOTEG0hwnd[procE2Estart] response(%s)[procE2Estart] failed(%s)e2e_focuse2e_blur?[CResponseASTx2::getHost] AfxParseURL error(%d)https://%shttp://%s[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::CheckServer() failed. error=%d[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::Connect() failed. error=%d[CResponseASTx2::PostAIPScriptInfo] version=%s[CResponseASTx2::PostAIPScriptInfo] url=%s[CResponseASTx2::PostAIPScriptInfo] error=%d[CResponseASTx2::IsProtectedSite] %s, nIsProtectedSite=%d[CResponseASTx2::IsForgeryMonitorSite] %s, nIsScriptMonitorSite=%d[CResponseASTx2::IsForgeryScript] csUrl IsEmpty == true[CResponseASTx2::IsForgeryScript] csUrl=%s[CResponseASTx2::IsForgeryScript] csHost=%s[CResponseASTx2::IsForgeryScript] csObjectName=%s[CResponseASTx2::IsForgeryScript] false, %s[CResponseASTx2::IsForgeryScript] true, %s[procHello] csAgent=%s[procHello] csReferer=%s[procHello] csScriptUrl=%s[procHello] csScriptVer=%s[procHello] IsProtectedSite false - %sastx2.min.js[procHello] IsForgeryScript true - %snoenc[procE2EFormInit] ncert=%d,norsa=%d,noenc=%d[procE2EFormInit] result=%s,pageid=%s[CResponseASTx2::GetResponseData] failed SplitSubData %s/ASTX2/helloalivee2e_alivecheckset_certset_protectget_dataget_pclogis_vm_envis_remote_envis_vm_remote_enve2e_starte2e_inite2e_gettexte2e_settexte2e_cleare2e_stope2e_uninite2e_unloade2e_gethashe2e_forminite2e_formgetis_offline_masteris_not_support_oscallbacktry{%s(%s);}catch(e){}%s(%s)[getCurrentFocusWindowsHandleEdge] less-than WIN10(osver=%d)ApplicationFrameWindow[getCurrentFocusWindowsHandleEdge] pid=%d,hwnd=0x%08X,class=%s
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\Ahnlab\ASP\MyKeyDefense 2.5CheckDataFile nMode[%d] bRet[%d]IPTip_Main_WindowGetExtendedTcpTable\iphlpapi.dll\StringFileInfo\%04x%04x\%sCompanyName\VarFileInfo\TranslationWorkstationAgent.exeWorkStationAgentCitrix\Virtual Desktop AgentSOFTWARE\Citrix\VirtualDesktopAgentwinvnc.exevboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dllProductModelManufacturerWQLSELECT * FROM Win32_BaseBoardROOT\CIMV2macappleCCheckEnv HasConflictingBoard=%d.CCheckEnv NotSupportOs=%d.CCheckEnv Remote=%d.IsVirtualMachine, dwType=%dLastPolicy@
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QEMU-GA
Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] called
Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .\WinEventHook.cpp[CWinEventHook::Initialize] tid(%d) is recycled.[CWinEventHook::Initialze] hwnd=%x, pData->hHook=%08xhHook[CWinEventHook::Initialze] SetWinEventHook failed[CWinEventHook::Uninitialize] pData->m_hHook=%08x[CWinEventHook::Uninitialize] unhook failed, pData->m_hHook=%08x[CWinEventHook::WinEventProcFocus] ByPass, IsProhibited true[CWinEventHook::WinEventProcFocus] CLASS_IE_SHDOCVW ignored, role=%08x, hwnd=%08x[CWinEventHook::WinEventProcFocus] non-client, role=%08x, hwnd=%08x..\Common\ak_controller.cppm_hSession != NULLpByte16 != NULLpIV16 != NULL..\Common\ak_controller.cpppByte != NULLpIV != NULL%d.%d.%d.%d0.0.0.0[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Success[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Error [0x%08x][CController::Terminate] Mkd2Ctl_Terminate() fail.(0x%08x)[CController::PsPageInInit] Mkd2Ctl_PsPageInInit() fail.(0x%08x)[CController::PsPageInInit] Changed to unprotected mode[CController::PsPageInInit] Mkd2Ctl_AddFilterMode, dwResult=%d[CController::PsPageOutCleanUp] Mkd2Ctl_PsPageOutCleanUp() fail.(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(%ld)dwError == 0[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD20) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD26) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD25) error(0x%08x)[CController::GetKeyActionTable] Mkd2Ctl_Get_Rule_VersionEx error=%d[CController::SetKeyActionTable] GetKeyActionTable error(0x%08x)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld) error(0x%08x)[CController::SetAkCtlLogPath] log skipAkCtl.log[CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath szLogPath[%s][CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath Failed[0x%08x][CController::PreInitialize] IsVirtualMachine, dwVMType=%x[CController::PreInitialize] Running on server OS. Skip using AK driver
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::SetDriverParam] lRet=%d, dwParam=%x, dwInstallDate=%xParam1SYSTEM\CurrentControlSet\Services\Mkd2KfNtSYSTEM\CurrentControlSet\Services\Mkd3KfNtInstallDateSOFTWARE\Microsoft\Windows NT\CurrentVersion[CDriverLoaderForVista::UnSetDriverParam] lRet=%dvboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dll
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine, dwType=%d
Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exe
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exeP
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver bypass.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_StartSecureLogAndSetPath failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop failed. (0x%x)[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop leave.[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop enter.[CDriverLoaderForVista::CreateDriverCtrlThread] _beginthreadex failed. %d[CDriverLoaderForVista::LoadDriver] already loaded.[CDriverLoaderForVista::LoadDriver] called.[CDriverLoaderForVista::UnloadDriver] not loaded.[CDriverLoaderForVista::UnloadDriver] called.
Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_100FB0BA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_101101FA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100151A4

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_100FB0BA
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_100FD98A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_100FD98A
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: 0_2_1010FF2F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_1010FF2F

HIPS / PFW / Operating System Protection Evasion

Found driver which could be used to inject code into processes

Source: medvpdrv.sys.6.dr	Static PE information: Found potential injection code
Source: medvpdrv.sys0.6.dr	Static PE information: Found potential injection code

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\astx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y\| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe	Process created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe	Jump to behavior

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,

0_2_100FA845

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100151A4

Source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\astx_setup.exe	Code function: GetLocaleInfoA,		0_2_10111771
Source: C:\Users\user\Desktop\astx_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_1000C1D0

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_1010B0DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_1010B0DB

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_1010BB2E

Source: C:\Users\user\Desktop\astx_setup.exe

Code function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,

0_2_100FA845

Source: C:\Users\user\Desktop\astx_setup.exe

0_2_100151A4

ID:	755221
Product:	CloudBasic
Start time:	13:40:01
Start date:	28.11.2022
Sample:	astx_setup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	7dd75b2c2e214c0347df3dc137161b19
SHA1:	072a03d9279d3ecbdb5a76c70a862a75fb50d95b
SHA256:	06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report astx_setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
astx_setup.exe