Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
astx_setup.exe

Overview

General Information

Sample Name:astx_setup.exe
Analysis ID:755221
MD5:7dd75b2c2e214c0347df3dc137161b19
SHA1:072a03d9279d3ecbdb5a76c70a862a75fb50d95b
SHA256:06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f
Infos:

Detection

GuLoader
Score:34
Range:0 - 100
Whitelisted:false
Confidence:20%

Compliance

Score:51
Range:0 - 100

Signatures

Yara detected AntiVM3
Yara detected GuLoader
Found driver which could be used to inject code into processes
May modify the system service descriptor table (often done to hook functions)
Writes many files with high entropy
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Yara detected Keylogger Generic
Creates or modifies windows services
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

  • System is w10x64_ra
  • astx_setup.exe (PID: 6348 cmdline: C:\Users\user\Desktop\astx_setup.exe MD5: 7DD75B2C2E214C0347DF3DC137161B19)
    • cmd.exe (PID: 6456 cmdline: C:\Windows\system32\cmd.exe /C "ECHO Y| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)" MD5: 4943BA1A9B41D69643F69685E35B2943)
      • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO Y" MD5: 4943BA1A9B41D69643F69685E35B2943)
      • cacls.exe (PID: 6524 cmdline: cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA) MD5: B304B0EF47E125F696425BD99096D3E3)
    • V3Medic.exe (PID: 6624 cmdline: "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe" MD5: F4116873D9C057697783C2C128708617)
      • SysX64.exe (PID: 7156 cmdline: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe MD5: 9005E21833E657558F139A3D3945C97D)
        • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • SysX64.exe (PID: 6204 cmdline: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe MD5: 9005E21833E657558F139A3D3945C97D)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sysJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sysJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2413738502.0000000000768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
        Process Memory Space: astx_setup.exe PID: 6348JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
          Process Memory Space: V3Medic.exe PID: 6624JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: 6.3.V3Medic.exe.5b54600.7.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 6.3.V3Medic.exe.5ab0000.5.unpackAvira: Label: TR/Patched.Ren.Gen7
            Source: 6.3.V3Medic.exe.6065a80.14.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1007F680 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

            Compliance

            barindex
            Uses 32bit PE files
            Source: astx_setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Found installer window with terms and condition text
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeWindow detected: < BackI AgreeCancelAhnLab Installation System AhnLab Installation SystemLicense AgreementPlease review the license terms before installing AhnLab Safe Transaction.Press Page Down to see the rest of the agreement.AhnLab Software License AgreementIMPORTANT - READ CAREFULLY BEFORE USING AHNLAB SOFTWARE.This Software License Agreement (this Agreement) is a legal agreement by and between you and AhnLab Inc. (AhnLab) with regard to the use of the software as defined below (AhnLab Software). If you do not agree to be bound by this Agreement you shall not install copy or use AhnLab Software. 1. Definitions 1.1 AhnLab Software means the software that AhnLab develops or produces and holds the rights such as copyright ownership right etc. AhnLab Software may include computer software any media printed materials and online or electronic documents including but not limited to any and all executable files additional functions user manual help files and other files accompanying AhnLab Software. 1.2 Computer means information processors such as server computer user computer etc. that can transmit and receive information through connection with communication networks. 1.3 Appliance means products that AhnLab sells to customers as a separate form of products produced by installing AhnLab Software in hardware equipment. 1.4 Use refers to any and all acts of using AhnLab Software such as storing installing or executing AhnLab Software in the main or auxiliary memory of Computer CD-ROM or other storage devices or displaying AhnLab on the screen. 1.5 Supplier means a person such as its distributor or reseller who entered into a business partnership agreement with AhnLab with regard to the sales of AhnLab Software or has been officially authorized by AhnLab to sell AhnLab Software. 1.6 You or Customer refers to you as a group or an individual that has entered into an agreement with AhnLab or the Supplier for the license to use AhnLab Software (the Purchase Agreement). 1.7 Commercial Product refers to AhnLab Software that AhnLab or the Supplier sells with charges. 1.8 Free Product refers to AhnLab Software that AhnLab or the Supplier provides free of charges. 2. Software License2.1 Restricted License: Subject to your consent to the terms and conditions of this Agreement AhnLab grants the non-exclusive and non-transferrable license to use AhnLab Software during the term of the license (in case of Commercial Product the term set forth in Purchase Agreement and in case of Free Product the term during which AhnLab Software is available for free).2.2 Scope of License: If you are a purchaser of Commercial Product you may install and use as many copies of AhnLab Software as you have agreed to use under the license from AhnLab or the Supplier. If you (i) execute the process of configuration or installation of this Software in a physical and/or virtual environment or (ii) make all or part of the existing instance run on a separate memory through for ex
            Creates license or readme file
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txtJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\license.txtJump to behavior
            Uses new MSVCR Dlls
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll
            Creates a directory in C:\Program Files
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLabJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe TransactionJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPlyJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\TempJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\ResourceJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\defaultJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\imageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\tableJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_usJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\imageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\tableJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDKJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AKJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRuleJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\LogJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\CertJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nssJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHCJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\QuarantineJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMPJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MeDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MeD\DefinitionJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifestJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\license.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Product.datJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.datJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.derJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.derJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.infJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rulJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rulJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\aos.sldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmpJump to behavior
            PE / OLE file has a valid certificate
            Source: astx_setup.exeStatic PE information: certificate valid
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: astx_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007AAA FindFirstFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\DB\
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\DB
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Temp
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Temp\
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ftp://http://HTTP/1.0
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%1/CertEnroll/%1_%3%4.crtfile://
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%1/CertEnroll/%3%8%9.crlfile://
            Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http:///..
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://allyoucanleet.com/
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://broofa.com/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng3.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0Y
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: V3Medic.exe, 00000006.00000003.1378099121.0000000003240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://download.ahnlab.com/down/ahnreport/AhnRpt.exe
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gladman.plushost.co.uk/oldsite/AES/index.php
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/)
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://json.org/).
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mathiasbynens.be/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mattmahoney.net/dc/zpaq.html
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mattmahoney.net/zpaq/
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ncompress.sourceforge.net/
            Source: astx_setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2079647005.0000000003885000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2125960885.0000000003857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng30V
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.ahnlab.com.
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com0_
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng3ocsp.crt04
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://site.icu-project.org/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sourceforge.jp/projects/lha/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sourceforge.net/p/infozip/patches/18/
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw.symcb.com/sw.crl0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw.symcd.com0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw1.symcb.com/sw.crt0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://wakaba.c3.cx/s/apps/unarchiver.html
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.7-zip.org/download.html
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.7-zip.org/sdk.html
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.aarongifford.com/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.aescrypt.com/
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=en_US2http://www.ahnlab.com/redir/1101.rdir?locale=en_U
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=ko_KR2http://www.ahnlab.com/redir/1101.rdir?locale=ko_K
            Source: V3Medic.exe, 00000006.00000003.1984695970.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ahnlab.com/redir/1102.rdir?locale=sp_ES2http://www.ahnlab.com/redir/1101.rdir?locale=sp_E
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.arjsoftware.com/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.bzip.org/downloads.html
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cabextract.org.uk/libmspack/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.compression.ru/ds/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: astx_setup.exe, 00000000.00000002.2409620376.000000000040A000.00000004.00000001.01000000.00000003.sdmp, V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2173657512.000000000389A000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2088378566.00000000038BF000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143188218.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1745963415.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1792743690.0000000006AEA000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1816448826.0000000003A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2342461595.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/pub/infozip/license.html.
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kmonos.net/lib/xacrett.en.html
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/MPL/Copyright
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.apple.com/apsl/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.apple.com/source/xnu/xnu-1486.2.11/bsd/vfs/
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/)
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)MD5
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rarlab.com/rar_add.htm
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
            Source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valicert.com/1
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wavpack.com/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winace.com/
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/zlib_license.html
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://yuilibrary.com/license/
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%8
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://code.bandisoft.com
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://code.bandisoft.com/
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0)
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/client
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/activate/relay
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gactivation.ahnlab.com/api/auth/v1/healthcheck
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/zopfli
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/necolas/normalize.css/
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/wycats/handlebars.js
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/wycats/handlebars.js)
            Source: V3Medic.exe, 00000006.00000003.1486462149.0000000000611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jp.ahnlab.com/site/support/qna/qnaAddForm2.do;
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/client
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relay
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/activate/relayhttps://mgactivation.ahnlab.com/api/auth/v
            Source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mgactivation.ahnlab.com/api/auth/v1/healthcheck
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://opensource.ahnlab.com
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.do
            Source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bandisoft.com
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
            Source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2122424988.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2383715131.0000000006D22000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
            Source: V3Medic.exe, 00000006.00000003.2099236206.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2017798525.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
            Source: unknownDNS traffic detected: queries for: gms.ahnlab.com
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10081531 WSASetLastError,recv,WSAGetLastError,
            Source: Yara matchFile source: Process Memory Space: V3Medic.exe PID: 6624, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\NSIS.cat
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.catJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.cat
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca2.der
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.derJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ca.der
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.derJump to dropped file
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\NSIS.cat
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\V3ElamDr.cat
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.cat

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Writes many files with high entropy
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_arm64.nz entropy: 7.99987389692
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_com.nz entropy: 7.99992425007
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_nt32.nz entropy: 7.99994581027
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\Engine\med_x64.nz entropy: 7.99996367978
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_ARM64.nz entropy: 7.99997967236
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Common.nz entropy: 7.99995972837
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_ARM64.nz entropy: 7.99992330835
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_NT32.nz entropy: 7.99991798674
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Install_X64.nz entropy: 7.99993900021
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_NT32.nz entropy: 7.99995451457
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_Res.nz entropy: 7.99808528554
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\ASTX_X64.nz entropy: 7.99996849744
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_ARM64.nz entropy: 7.99962010979
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_NT32.nz entropy: 7.99968840658
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Av_X64.nz entropy: 7.9996709535
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_ARM64.nz entropy: 7.99997224914
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_NT32.nz entropy: 7.99997283206
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Core_X64.nz entropy: 7.99997706581
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_ARM64.nz entropy: 7.99993645268
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_NT32.nz entropy: 7.99993597151
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Fw_X64.nz entropy: 7.99993716897
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_ARM64.nz entropy: 7.99974501255
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_NT32.nz entropy: 7.99971520737
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Ips_X64.nz entropy: 7.99975169927
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_ARM64.nz entropy: 7.99851995659
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_NT32.nz entropy: 7.99884081465
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Mdp_X64.nz entropy: 7.99914416454
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\Update.nz entropy: 7.99991954609
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\asdahc.nz entropy: 7.99403404133
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\geo.asd entropy: 7.99435509055
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\geo.asd entropy: 7.99435509055Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\gof.dat entropy: 7.99341158373
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\gof.dat entropy: 7.99341158373Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msg.dat entropy: 7.99989526323
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\msg.dat entropy: 7.99989526323Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Prtect.dat entropy: 7.99468772612
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.dat entropy: 7.99468772612
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tnnipsig.rul entropy: 7.9985827226
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul entropy: 7.9985827226Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\defcfg.db entropy: 7.99346459276
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db entropy: 7.99346459276Jump to dropped file
            Source: astx_setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000D6BA AI_ExitWindows,AhnIEx_ExitWindows,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1001869A AhnIEx_ExitWindows,AhnIEx_IsWinNT,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\AhnInst.logJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100EF060
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A7080
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_101150A7
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_101130A7
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B30B0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A30E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B10E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009B110
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A51C0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C7320
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F3320
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009F340
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009B360
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A9380
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A53B0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A1410
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AB440
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F3440
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A3450
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F3488
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100734F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A5550
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B15E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_101135EB
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100DF640
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A9650
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B3700
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A3750
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A5760
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008D780
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009F7E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100DF7F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B1800
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F58F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009B920
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100EF940
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AD970
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1010D98B
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F3A60
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A5A70
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F5B10
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10113B2F
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1009FBF0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A9C50
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C3C80
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100DFC80
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1003DCD0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100E3CE0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100E7CF0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008DD00
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10073D10
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C1D20
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A3D30
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F5D50
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A5D90
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A3DF0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FBDF1
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C3E10
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C1EF0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10073F10
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A5F20
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B1FA0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10105FC2
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008E058
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A4050
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A2080
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AC0E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F60E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AA130
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A01A0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F41C0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008A200
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008A229
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F0220
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10114227
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A42A0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FC2C6
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100E8300
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A2340
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100F4340
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100EE350
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100D0370
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008E390
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008C3E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A63F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AA3F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10074420
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B4430
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B6490
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A44A0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100524D0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A0560
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100C45C0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1008C5F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B4610
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100D6610
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A8630
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A2680
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FC69A
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100B2690
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100A46C0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100AA6E0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100506F0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100E0770
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000A7B7
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00642484
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644688
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064195B
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00644909
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640786
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_006435EA
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640BF2
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064354C
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064354C
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_006435EA
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640BF2
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_0064354C
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_006435EA
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00640BF2
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 10105818 appears 55 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 100FB0D0 appears 620 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 100FAF3D appears 44 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 10051590 appears 84 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 100FADEC appears 263 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 10017248 appears 51 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1004F8A0 appears 105 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1004F950 appears 374 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1004F970 appears 49 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1004F8E0 appears 81 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 100FAADF appears 39 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1000A6E4 appears 49 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: String function: 1005DA30 appears 48 times
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10006383 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,_memset,GetLastError,GetLastError,CreateProcessAsUserW,GetLastError,GetLastError,
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess Stats: CPU usage > 98%
            Source: astx_setup.exe, 00000000.00000002.2487880272.000000001017D000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameAhnIEx.dll( vs astx_setup.exe
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeSection loaded: mfc90enu.dll
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeSection loaded: mfc90enu.dll
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeSection loaded: mfc90enu.dll
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeSection loaded: mfc90enu.dll
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeSection loaded: mfc90loc.dll
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10013A39 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,GetLastError,AhnIEx_SetReboot,GetLastError,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeFile read: C:\Users\user\Desktop\astx_setup.exeJump to behavior
            Source: astx_setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\astx_setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\astx_setup.exe C:\Users\user\Desktop\astx_setup.exe
            Source: C:\Users\user\Desktop\astx_setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
            Source: C:\Users\user\Desktop\astx_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\astx_setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
            Source: C:\Users\user\Desktop\astx_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe "C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\Desktop\astx_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1001869A AhnIEx_ExitWindows,AhnIEx_IsWinNT,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nspB39D.tmpJump to behavior
            Source: classification engineClassification label: sus34.rans.troj.evad.winEXE@16/713@3/0
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100162BF __EH_prolog3,CoCreateInstance,_wcsrchr,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: AI_CreateService2,
            Source: C:\Users\user\Desktop\astx_setup.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000D788 AI_GetDiskFreeSpace,AhnIEx_GetDiskFreeSpace,AhnIEx_snprintf,
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s WHERE %s;
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1582968292.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s;
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1586545869.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100136B9 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,GetLastError,GetLastError,PeekMessageW,Sleep,QueryServiceStatus,DispatchMessageW,PeekMessageW,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_02
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeMutant created: \Sessions\1\BaseNamedObjects\Global\_mutex_ahni2_log_
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:304:WilStaging_02
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeMutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_SingleInstance_{FF56B785-EF71-461B-AF11-9891E8303723}_ASTX
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_02
            Source: C:\Users\user\Desktop\astx_setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\_Mutex_AIL_Log_
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:304:WilStaging_02
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10019718 LoadResource,LockResource,SizeofResource,
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLabJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeFile written: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\BldInfo.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeWindow detected: < BackI AgreeCancelAhnLab Installation System AhnLab Installation SystemLicense AgreementPlease review the license terms before installing AhnLab Safe Transaction.Press Page Down to see the rest of the agreement.AhnLab Software License AgreementIMPORTANT - READ CAREFULLY BEFORE USING AHNLAB SOFTWARE.This Software License Agreement (this Agreement) is a legal agreement by and between you and AhnLab Inc. (AhnLab) with regard to the use of the software as defined below (AhnLab Software). If you do not agree to be bound by this Agreement you shall not install copy or use AhnLab Software. 1. Definitions 1.1 AhnLab Software means the software that AhnLab develops or produces and holds the rights such as copyright ownership right etc. AhnLab Software may include computer software any media printed materials and online or electronic documents including but not limited to any and all executable files additional functions user manual help files and other files accompanying AhnLab Software. 1.2 Computer means information processors such as server computer user computer etc. that can transmit and receive information through connection with communication networks. 1.3 Appliance means products that AhnLab sells to customers as a separate form of products produced by installing AhnLab Software in hardware equipment. 1.4 Use refers to any and all acts of using AhnLab Software such as storing installing or executing AhnLab Software in the main or auxiliary memory of Computer CD-ROM or other storage devices or displaying AhnLab on the screen. 1.5 Supplier means a person such as its distributor or reseller who entered into a business partnership agreement with AhnLab with regard to the sales of AhnLab Software or has been officially authorized by AhnLab to sell AhnLab Software. 1.6 You or Customer refers to you as a group or an individual that has entered into an agreement with AhnLab or the Supplier for the license to use AhnLab Software (the Purchase Agreement). 1.7 Commercial Product refers to AhnLab Software that AhnLab or the Supplier sells with charges. 1.8 Free Product refers to AhnLab Software that AhnLab or the Supplier provides free of charges. 2. Software License2.1 Restricted License: Subject to your consent to the terms and conditions of this Agreement AhnLab grants the non-exclusive and non-transferrable license to use AhnLab Software during the term of the license (in case of Commercial Product the term set forth in Purchase Agreement and in case of Free Product the term during which AhnLab Software is available for free).2.2 Scope of License: If you are a purchaser of Commercial Product you may install and use as many copies of AhnLab Software as you have agreed to use under the license from AhnLab or the Supplier. If you (i) execute the process of configuration or installation of this Software in a physical and/or virtual environment or (ii) make all or part of the existing instance run on a separate memory through for ex
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll
            Source: astx_setup.exeStatic file information: File size 81412376 > 1048576
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLabJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe TransactionJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPlyJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\TempJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\ResourceJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\defaultJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\imageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\tableJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_usJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\imageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\en_us\tableJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDKJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AKJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRuleJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\LogJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\CertJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nssJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHCJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\QuarantineJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\ASDTEMPJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MeDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\MeD\DefinitionJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\Microsoft.VC90.CRT.manifestJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\license.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\drvinfo_astx.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\mupdate2.cfgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Product.datJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\V3Prtect.datJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca.derJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.derJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\astx.infJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rulJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rulJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\aos.sldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\aspinfo.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.uiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_focus_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_b_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_default_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_disable_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focused_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_focus_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_basic_w_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_close_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_focused_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_normal_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_default_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_help_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_minimize_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dafault.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_dim.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_next_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dafault.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_dim.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_over.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_pre_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_disable_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_normal_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_over_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_setting_press_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_f.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_info_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_left_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_mid_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_h.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_n.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\btn_web_link_right_p.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_bottom_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\b_bg_top_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\checkboxes.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\custom_logo.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_focus.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_hover.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_normal.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\help_btn_pressed.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_firewall.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_log_viewer.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_error.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_info.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_message_warning.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_on.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_product_tray.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_quarantine.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_scan_detect.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_setting.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_stx_info.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_alert.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\icon_tray_complete.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_cr_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ff_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_default.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_browser_ie_disable.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\ico_shel_check.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_listctrl_header.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\img_popup_titlebar.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_safe.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\scan_ico_warning.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_bg.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_normal_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_bg.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_over_line.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_selected_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_mid.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_sel_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_left.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\tab_unselected_right.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo.bmpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDirectory created: C:\Program Files\AhnLab\Safe Transaction\Resource\default\image\title_logo_about.bmpJump to behavior
            Source: astx_setup.exeStatic PE information: certificate valid
            Source: astx_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: AhnRghNt.pdb source: V3Medic.exe, 00000006.00000003.2204584934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\WinFWMgr\Trunk\Build\X64Release.vc90\WinFWMgr.pdb source: V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\PdCfg.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1795673899.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Av.pdb source: V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2028561930.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\UpEx.pdb source: V3Medic.exe, 00000006.00000003.1838675962.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ATamptNt.pdb source: V3Medic.exe, 00000006.00000003.2220560883.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\CdmCtrl.pdb source: V3Medic.exe, 00000006.00000003.2164525785.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AHAWKENT.pdb source: V3Medic.exe, 00000006.00000003.2203334329.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonTDLH.pdb source: V3Medic.exe, 00000006.00000003.2212897136.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonTDnt.pdb source: V3Medic.exe, 00000006.00000003.2216027615.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AMonCDw7.pdb source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\build\X64Release.vc60\AhnCtlKD.pdb source: V3Medic.exe, 00000006.00000003.2118726572.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\HsbCtl.pdb source: V3Medic.exe, 00000006.00000003.1746313302.0000000003A5E000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcm90.i386.pdb source: V3Medic.exe, 00000006.00000003.1941544747.0000000005E6A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrumt.pdb source: V3Medic.exe, 00000006.00000003.2376704009.0000000006BB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: certutil.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzPlugin.pdb source: V3Medic.exe, 00000006.00000003.1790684505.0000000003A1D000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1858664684.000000000614A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\Build\_building\Build\Engine\EngineNG\brahma\trunk\build\msvc6_win64\AMD64Release\bin\asc_main.pdb source: V3Medic.exe, 00000006.00000003.2023263372.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2039114730.0000000003750000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: HSBDrv64.pdb source: V3Medic.exe, 00000006.00000003.1994448685.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1965582045.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALWFCtrl.pdb source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Mkd2Nadr.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2002829645.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\AupASD.pdb source: V3Medic.exe, 00000006.00000003.2098362304.00000000038A6000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDUp.pdb source: V3Medic.exe, 00000006.00000003.2086586393.0000000003856000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mfc90u.amd64.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2238811654.0000000005DC2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Mkd3kfNt.pdb source: V3Medic.exe, 00000006.00000003.2005506483.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2006028938.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcr90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1419152820.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1993346827.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\Win32Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: AMonCDw7.pdbGCTL source: V3Medic.exe, 00000006.00000003.2206061085.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtInst.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1802866087.0000000000629000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcp90.amd64.pdb source: V3Medic.exe, 00000006.00000003.2258731491.00000000062A1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\AhnLab\Common\AhnTrust\3.0\trunk\Build\X64Release.vc90\atstrust.pdb source: V3Medic.exe, 00000006.00000003.2158939065.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: V3ElamDr.pdb source: V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2049620514.000000000062B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: msvcm90.amd64.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25sdk.pdb source: V3Medic.exe, 00000006.00000003.1569077142.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1596806201.0000000005DEC000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\SysX64.pdb source: SysX64.exe, 0000000F.00000000.1385836130.000000000040F000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDSvc.pdb source: V3Medic.exe, 00000006.00000003.2080153436.00000000038AA000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: msvcp90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCr.pdb source: V3Medic.exe, 00000006.00000003.2072555587.000000000385F000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\AHAWKE.pdb source: V3Medic.exe, 00000006.00000003.2109994779.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\ahnlab\system\common\public\monster_v4.0\trunk\src\amonlwlh\amd64\AMonLWLH.pdb source: V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzBrcom.pdb source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: V3ElamCt.pdb source: V3Medic.exe, 00000006.00000003.2031350084.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: e:\local_temp\win_amd64_unicode_msvs09\AHLOHA\Ahloha1.4.0.1_SRC\build\msvs09\x64\Release\ahloha.pdb source: V3Medic.exe, 00000006.00000003.2117776200.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1425377759.0000000004546000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\CdmAPI.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.2162841684.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSvr.pdb source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msvcr90.i386.pdb source: V3Medic.exe, 00000006.00000003.1942456409.0000000005EA3000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TSFltCtl.pdb source: V3Medic.exe, 00000006.00000003.2029624911.000000000062B000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TSFltDrv.pdb source: V3Medic.exe, 00000006.00000003.2048550396.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2045082920.00000000038E1000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2048046261.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Building\TSMime\TSMime_1.0\build\X64Release.vc90\tsmime.pdb source: V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\V3Cert.pdb source: V3Medic.exe, 00000006.00000003.1839454028.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonHKnt.pdb source: V3Medic.exe, 00000006.00000003.2209193882.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TfFRegNt.pdb source: V3Medic.exe, 00000006.00000003.2293256353.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2293596896.0000000000638000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release\mkd25def.pdb 0 source: V3Medic.exe, 00000006.00000003.1567514805.0000000000620000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AMonCDw8.pdbGCTL source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\NT32Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: mfc90u.i386.pdb source: V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msvcr100.i386.pdb source: V3Medic.exe, 00000006.00000003.1597415511.0000000005E41000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\Core.pdb source: V3Medic.exe, 00000006.00000003.2174084552.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2227219595.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\TNNetUtil.pdb source: V3Medic.exe, 00000006.00000003.2200976148.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl32.pdb@ source: V3Medic.exe, 00000006.00000003.1872389829.0000000006605000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1817604204.0000000006AC0000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Project\KCMVP\ACM\1.0\D.0000000017\Build\libacm.dll\VC9.0\x64Release\libacm.pdb source: V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release32On64\HsbCtl32.pdb source: V3Medic.exe, 00000006.00000003.1753923421.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AMonCDw8.pdb source: V3Medic.exe, 00000006.00000003.2207735485.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ATamptU.pdb source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDCli.pdb source: V3Medic.exe, 00000006.00000003.2066690791.0000000003855000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi.pdb source: V3Medic.exe, 00000006.00000003.1797309111.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\devel\Ark6\bin.sdk\Ark64lgplv2.pdb source: V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\build\system\product\mkd\korenc\building\build\ahnlab\system\product\mkd\korenc\trunk\src\klib_sys\amd64\klb64mkd.pdb source: V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\2.1\Trunk\Src\Common\aostrust\Trunk\Build\X64Release\aostrust32.pdb source: V3Medic.exe, 00000006.00000003.1754532060.0000000000627000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk.pdb source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: u:\Project\Medicine\Framework\2.5\Trunk\Build\X64Release\ASDi.pdb source: V3Medic.exe, 00000006.00000003.2141353793.000000000385B000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\powapi32.pdb source: V3Medic.exe, 00000006.00000003.1799138938.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: Cdm2DrNt.pdb source: V3Medic.exe, 00000006.00000003.2221847702.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\Build\X64Release.vc60\AKDVE.pdb source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Common\AhnI2\7.0\building\build\AhnLab\Common\AhnI2\7.0\Trunk\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: certadm.pdb source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1548503760.0000000000620000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Mkd2Bthf.pdb source: V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2000992273.000000000062B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdbp$ source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StCtl.pdb source: V3Medic.exe, 00000006.00000003.1866509398.000000000640F000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: U:\AhnLab\Common\BTScan\Trunk\Build\AMD64\Free\BtScnCtl.pdb source: V3Medic.exe, 00000006.00000003.2160139288.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALWFCtrl.pdbL source: V3Medic.exe, 00000006.00000003.2123371733.000000000062C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\ScrMon32.pdb source: V3Medic.exe, 00000006.00000003.1863999407.0000000006332000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1800565257.000000000062E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\X64Release\StSdk32.pdb source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: u:\Product\AOS\SafeTransaction\1.0\Trunk\Build\NT32Release\NzInst.pdb source: V3Medic.exe, 00000006.00000003.1946553042.0000000005FC7000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: d:\Build\ais\ahni2\master-36\build\git\AIS\ahni2\Build\X64Release.vc90\AhnI2.pdb source: V3Medic.exe, 00000006.00000003.2122627555.0000000006ABD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: d:\Build\Install\Common\Plugins\building\build\svn\AhnLab\Install\Common\Plugins\Trunk\Build\NT32Release\AhnIEx.pdb source: astx_setup.exe, 00000000.00000002.2487160386.000000001015C000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: d:\Build\Product\AOS\SafeTransaction\1.0\building\build\Product\AOS\SafeTransaction\1.0\Trunk\Src\AkSdk\Trunk\Build\Release64\mkd25.pdb 0 source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: U:\Ambass\ambass\projects\msvc9\x64\Release DLL MT\ambassmt.pdb! source: V3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.2413738502.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: astx_setup.exe PID: 6348, type: MEMORYSTR
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FB580 push ecx; ret
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1010585D push ecx; ret
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00635002 pushad ; retn 0000h
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeCode function: 6_3_00631142 push FFFFFF89h; retf
            Source: medvphku.dll.6.drStatic PE information: section name: .detourc
            Source: medvphku.dll.6.drStatic PE information: section name: .detourd
            Source: medvphku.dll.6.drStatic PE information: section name: .UPX0
            Source: medvphku.dll0.6.drStatic PE information: section name: .detourc
            Source: medvphku.dll0.6.drStatic PE information: section name: .detourd
            Source: medvphku.dll0.6.drStatic PE information: section name: .UPX0
            Source: medvphkuw6.dll.6.drStatic PE information: section name: .detourc
            Source: medvphkuw6.dll.6.drStatic PE information: section name: .detourd
            Source: medvphkuw6.dll.6.drStatic PE information: section name: .UPX0
            Source: medvphkuw6.dll0.6.drStatic PE information: section name: .detourc
            Source: medvphkuw6.dll0.6.drStatic PE information: section name: .detourd
            Source: medvphkuw6.dll0.6.drStatic PE information: section name: .UPX0
            Source: trueeyesu.dll.6.drStatic PE information: section name: .detourc
            Source: trueeyesu.dll.6.drStatic PE information: section name: .detourd
            Source: trueeyesu.dll.6.drStatic PE information: section name: .UPX0
            Source: trueeyesu.dll0.6.drStatic PE information: section name: .detourc
            Source: trueeyesu.dll0.6.drStatic PE information: section name: .detourd
            Source: trueeyesu.dll0.6.drStatic PE information: section name: .UPX0
            Source: ScrMon32.dll.6.drStatic PE information: section name: .ScrmonS
            Source: ScrMon32.dll0.6.drStatic PE information: section name: .ScrmonS
            Source: Ark64.dll.6.drStatic PE information: section name: text
            Source: Ark64.dll0.6.drStatic PE information: section name: text
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_101101FA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.008144709647387
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.008144709647387
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.097619293313276
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.097619293313276
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.030662826386985
            Source: initial sampleStatic PE information: section name: .UPX0 entropy: 7.030662826386985
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medcored.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.DllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonLWLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDi.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\mkd3kfnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXEJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYSJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ATampt.dllJump to dropped file
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\AhnIEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonTDnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\NzInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnIEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcp90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Cdm2DrNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\mfc90u.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\System.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mfc90u.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\msvcp90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ENU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\nsExec.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Av.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\klb64mkd.sys
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nslB5A3.tmp\System.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medext.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AupASD.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\powapi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\InstallOptions.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AhnRghNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonTDLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonCDW8.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\mfc90u.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcp90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medcore.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Mkd2Nadr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonHKnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StSess.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\V3ElamDr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\mfc90u.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\msvcr90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcp90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AhnI2t.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\HsbDrv64.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Mkd2bthf.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\NzInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonCDW7.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\Ark64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\HsbDrv64.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonCDW8.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Mkd2bthf.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\V3ElamDr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\klb64mkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\mkd3kfnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonCDW7.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Mkd2Nadr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\Cdm2DrNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonTDnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AhnRghNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonTDLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonHKnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Windows\System32\drivers\AMonLWLH.sys
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000B0F4 AhnIEx_SetMode,AhnIEx_GetMode,AhnIEx_GetMode,AhnIEx_GetMode,_memset,AhnIEx_IsWinNT,AhnIEx_IsWinNT,AhnIEx_IsWinNT,GetPrivateProfileStringW,
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_en_US.txtJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeFile created: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\_Setup\License_ko_kr.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\license.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile created: C:\Program Files\AhnLab\Safe Transaction\license.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mkd2NadrJump to behavior
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100136B9 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,GetLastError,GetLastError,PeekMessageW,Sleep,QueryServiceStatus,DispatchMessageW,PeekMessageW,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

            Hooking and other Techniques for Hiding and Protection

            barindex
            May modify the system service descriptor table (often done to hook functions)
            Source: V3Medic.exe, 00000006.00000003.2062693325.000000000062C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1001D082 GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,FreeLibrary,_memset,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
            Source: C:\Users\user\Desktop\astx_setup.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED
            Source: Yara matchFile source: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys, type: DROPPED
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\astx_setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcored.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Medic.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmAPI.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil_.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ALWFCtrl.Dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.DllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcored.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonLWLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnI2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDi.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\mkd3kfnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\klb64mkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Core.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libnspr4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXEJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Medic.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ahloha.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvpdrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYSJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamCt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3Cert.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnRghNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\aostrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TFFREGNT.SYS
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonHKnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATampt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\trueeyesu.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\V3ElamDr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libcrypto-1_1-x64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90KOR.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\asc_main.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2Nadr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHS.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certadm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90CHT.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\Cdm2DrNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCli.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90JPN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\sqlite3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\BtScnCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medext.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW8.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64lgplv2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\asc_main.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\smime3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ambassmt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ScrMon32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESP.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDUp.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\PdCfg.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AupASD.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcr100.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkuw6.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKENT.SYS
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\tsmime.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDWsc.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplc4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphku.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libssl-1_1-x64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDCr.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90FRA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\SCTX.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TSFltDrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AhnCtlKD.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbDrv64.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Mkd2bthf.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\aostrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysARM64.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\AI7z20.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATamptNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssdbm3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\freebl3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Av.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\klb64mkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnI2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd3kfnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medext.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\IAccessible2Proxy32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AupASD.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonCDW7.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AKDVE.EXE
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\atstrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\atstrust.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\UpEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSess32.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCli.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\CdmCtrl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\powapi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\WinFWMgr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\tsmime.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ITA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AhnRghNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonTDLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonLWLH.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW8.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\UpEx.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ssl3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AtamptU.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssutil3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ASDUp.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medcore.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\libplds4.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvphkuw6.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medcore.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDSvc.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ASDCr.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\certutil.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\WinFWMgr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2Nadr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzPlugin.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzBrcom32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\TNNetUtil.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AMonTDnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\NzInst32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonHKnt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSess.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphkd.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AtamptU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SCTX.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Ark64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\V3ElamDr.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StSvr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nssckbi.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90ESN.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ahloha.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\msvcm90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\HsbCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk64.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Av.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\MFC90DEU.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3ElamCt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\AHAWKE.DLL
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25sdk.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\HsbDrv64.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\softokn3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\Mkd2bthf.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\StCtl.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\powapi32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\ATampt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Windows\System32\drivers\AMonCDW7.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\medvphku.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TSFltDrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\AhnI2.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\V3Cert.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StCtl32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd25def.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\mkd2564.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TFFREGNT.SYS
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\ProgramData\AhnLab\AIS\SafeTransaction\msvcm90.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSvr.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\StSdk32.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\ambassmt.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\Cdm2DrNt.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\trueeyesu.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\medvpdrv.sys
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\TNNetUtil.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\Ark64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\e\nss3.dll
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeDropped PE file which has not been started: C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dllJump to dropped file
            Source: C:\Users\user\Desktop\astx_setup.exeAPI coverage: 1.2 %
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007633 IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1000776E IsCharAlphaW,FindFirstFileW,FindFirstFileW,GetLastError,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100157E0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007A49 FindFirstFileW,FindClose,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10007AAA FindFirstFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_10009FBA FindFirstFileW,GetLastError,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100086D8 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindNextFileW,FindClose,GetLastError,
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\DB\
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\DB
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Temp
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Quarantine
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeFile opened: C:\Program Files\AhnLab\Safe Transaction\Temp\
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware View Agent
            Source: V3Medic.exe, 00000006.00000003.1842987372.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] called0
            Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: setupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service.\AkMsgCtrl.cpp[CAkMsgCtrl::Initialize][CAkMsgCtrl::Initialize] _beginthreadex m_hAliveThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hProcessingThread=%x, nThreadId=%x[CAkMsgCtrl::Initialize] _beginthreadex m_hWaitingThread=%x, nThreadId=%x[CAkMsgCtrl::Finalize][CAkMsgCtrl::AliveThread][CAkMsgCtrl::WaitingThread]\\.\pipe\session(%d)nzbrco(%d)[CAkMsgCtrl::Callback] pRequest == NULL%s[CAkMsgCtrl::ProcessingThread]commandtypefilefilepathrbcommandseqe2e_inite2e_starte2e_cleare2e_focuse2e_blure2e_stopget_datae2e_alivee2e_uninite2e_unloade2e_gethashe2e_gettexte2e_settexte2e_forminite2e_formgetsdk_getenctext[CAkMsgCtrl::ProcessingThread] Unknown Request=%sACKresultpageid[CAkMsgCtrl::OnE2EUninit] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EUnload] pInstance == NULL, IsWindow(hwndFocus=%x) == %de2e_inputidnamee2e_typeurlhwndvAlgcustcodeak_drvnosptw_vkeyw_kstr0call_settextcall_gettextvm_env1formmaxlengthtxtmsktypee2e_inputtype[CAkMsgCtrl::OnE2EFocus] pE2EInput == NULL21password[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, hwndFocus=%x[CAkMsgCtrl::OnE2EFocus] pInstance == NULL, IsWindow(hwndFocus=%x) == false[CAkMsgCtrl::OnE2EFocus] Updated pE2EWindow->m_hwndFocus(%x) to hFocus(%x)[CAkMsgCtrl::OnE2EBlur] pInstance == NULL, IsWindow(hwndFocus=%x) == %d[CAkMsgCtrl::OnE2EBlur] ignored, still focused [CAkMsgCtrl::OnE2EStop] pInstance == NULL, IsWindow(hwndFocus=%x) == %dalgids1names1ids2names2uniqcert1cert2utimenorsa&=e2e_data2e2e_data1[CAkMsgCtrl::OnE2EGetHash] pE2EInput == NULL[CAkMsgCtrl::OnE2EGetHash] strHash(empty)hashwizvera_key[CAkMsgCtrl::OnE2EGetText] pE2EInput == NULL2231[CAkMsgCtrl::OnE2EGetText] not allowed, m_strE2EType=%s[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Key is empty.text[CAkMsgCtrl::OnE2EGetText] Wizvera Mode. Encrypt failed.e2eformnoenc[CAkMsgCtrl::OnE2ESetText] pE2EInput == NULLe2e_datancertversvre2e_form1e2e_form2[CAkMsgCtrl::OnE2EFormGet] pE2EInput == NULLcustomcoderandom[CAkMsgCtrl::OnSDKGetEncText] E2EMGR.GetEncTextStr() failed.getenctext.\apihook.cpphModuleHandleszExportAPI[HookFreeCodeGetProcAddress] EXCEPTION_EXECUTE_HANDLERpbMemBufpbRawBuf[GetOrgCodeFromFile] GetModuleHandle failed(errno=%ld,%s)dwRvaAddr > 0[GetOrgCodeFromFile] CreateFileA failed(errno=%ld,%s)[GetOrgCodeFromFile] CreateFileMapping failed(errno=%ld)[GetOrgCodeFromFile] MapViewOfFile failed(errno=%ld)[GetOrgCodeFromFile] ReadFile failed(errno=%ld)CallWindowProcWCallWindowProcAuser32.dll.\CallWindowProcApiHook.cppCCallWindowProcApiHook::Hook_CallWindowProcA FF SetSafeWndProc lpPrevWndFunc[0x%08x]xul.dllCCallWindowProcApiHook::Hook_
            Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \\.\pipe\nzsesspipeserver..\Common\NzSessMessageMgr.cpp[CNzSessMessageMgr::CNzSessMessageMgr] CAccessUtility::CreateEveryoneAccessibleSecurityDescriptor() failed.{7D33F21A-8B4E-4c90-B80D-227DBF687A4E}NULL != m_hSyncMutex[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendBrwsLogMessage] CPipeClient::Connect() failed. error=%dCNzSessMessageMgr::SendSdkEstmMessage[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::CheckServer() failed. error=%d[CNzSessMessageMgr::SendSdkEstmMessage] CPipeClient::Connect() failed. error=%dNULL != pSecureMsg[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageIntRet] CPipeClient::Connect() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::CheckServer() failed.[CNzSessMessageMgr::SendSdkExMessageStrRet] CPipeClient::Connect() failed.xdigitwuppersspacepunctprintlowergraphdigitdcntrlblankalphaalnumteamviewervncrc40app.exercengmgru.exeManufacturerModelProduct\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service
            Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/..\Common\PcLogGatherer.cpp[CPcLogGatherer::Reload] m_hReloadThread=%x, m_nReloadThreadID=%d[CPcLogGatherer::Reload] PcLog is already reloadingCPcLogGatherer::ReloadInternalPrivIP%dGatewayIP%dGatewayIPIP_ETH0_PRIV_YNIP_ETH1_PRIV_YNIP_ETH2_PRIV_YN0.0.0.0ActiveGWIPPrivIP1PrivIP2PrivIP3McAdr%dMAC_ORG_ETH%dFORGERY_MAC_ETH%d_YNJuniper Network Connect Virtual Adapter%02X-%02X-%02X-%02X-%02X-%02X00-00-00-00-00-00McAdr%dFORGERY_MAC_YNVpnYnVpnIPVpnCntryCdIP_VPN_LCALUSE_VPNVPN_N_COUNTRY_CODEVPN_NIPWin32_BaseBoardSerialNumberMbSerial_VMMbSerial%MbProductNoMbManufacturerCustomHdSerial[CPcLogGatherer::UseCustomHDSerial] dwCustomHdSerial=%dHdSerial_VMHdSerialWMINOTSUPPORTEDHdSerial2HdSerial3Win32_DiskDriveDeviceIDphysicaldrive0HdModelDISKSERIALHdSerial1_NHHdSerial2_NHHdSerial3_NHWin32_PhysicalMediaTagphysicaldrive%d00000000000000000000UsbSerial%dSYSTEM\CurrentControlSet\services\USBSTOR\EnumCountWin32_OperatingSystemOSType%02xOsTypeCdOsVerCdOSLanguage%04xOsLangCdServicePackMajorVersionOsSpCdSOFTWARE\Microsoft\CryptographyMachineGuidOsGuidSYSTEM\CurrentControlSet\Control\Terminal ServerfDenyTSConnectionsOsRemoteYnSYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileEnableFirewallDoNotAllowExceptionsOsFwStupCd03OS_FIREWALL_CD0102%04d%02d%02dLogDate%02d%02d%02d%03ldLogTime1.0LogVerPrxyUseYnP_INFPrxyIPPrxyIP_sz15PrxyCntryCdPRXY_LCAL[CPcLogGatherer::GetPcLog] m_bTimeoutReload = TRUESoftware\AhnLab\Safe Transaction\pl[CPcLogGatherer::GetPcLog] Base64Decode error=%d[CPcLogGatherer::SetPcLog] skip (%s)[CPcLogGatherer::SetPcLog] Base64Encode error=%d[CPcLogGatherer::SetPcLog] reg.Create error=%d[CPcLogGatherer::SetPcLog] %s=%src50app.exercsemgru.exercuimgru.exeRD|RSNORemoteEnvREMOTE_YNIS_REMOTEMadr%dValidYn^[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}$^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$Win32_keyboardDescriptionUSBPS/2%02dKbdType10-%03d-%03d-%02dOS_VSN_CD10OS_CD00OS_SPVSN99MSIEEdge60Firefox20rvOpera50OPRChromeEdg7030Safari40%s-%03d-%03d-000-000BwVsnCdBR_VERBR_LONG_NAMEBwVsnCd2%03d%s-%s-000Internet ExplorerMS EdgeEtcPubIPPubIPCntryCdENAT_ERR_CDW_COUNTRY_CODECPcLogGatherer::InitializeDBDB\ipcntry.db[CPcLogGatherer::InitializeDB] error : sqlite3_open(%s)CPcLogGatherer::SetCountryCodeselect CODE from t where START <= %u and END >= %uSTS_DHACKSTS_KEYLOG_YNELAPSED_TMCpuId_VMCpuIdCPUID0CPUID1Win32_ProcessorProcessorIdNameCpuNameCaptionCpuCaptionCpuId_NH%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02XSOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCardsServiceName%s=%s\\.\[CPcLogGatherer::GetNICMacAddress] CreateFileA(%s) error[CPcLogGatherer::GetSecuLogCount] Sdk Mode can't gathered SecuLog[CPcLogGatherer::GetSecuLogCount] cLogDB.Initialize() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogInterface() error[CPcLogGatherer::GetSecuLogCount] cLogDB.GetLogDataInterface() erro
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .\StSdkSa_PcLog.cpp[IAstxSaPcLogImpl::Initialize] called[IAstxSaPcLogImpl::Uninitialize] calledIAstxSaPcLogImpl::GetPcLogA[IAstxSaPcLogImpl::GetPcLogA] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d)VirtualMachineYnYN[IAstxSaPcLogImpl::GetPcLogA] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogA] dwError(0x%08x)IAstxSaPcLogImpl::GetPcLogW[IAstxSaPcLogImpl::GetPcLogW] STSDKEX_ERROR_BAD_PARAMETER[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s) bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] SDK_MSG_ID_PCLOG_GET_ENV_INFO_FUNC strEnvType(%s), strEnvValue:(%s), bReload(%d), dwSize:(%d)[IAstxSaPcLogImpl::GetPcLogW] dwError(0x%08x)[CStSdkSaPcLog::Uninitialize] calledH
            Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: optsvm_parallels[checVirtualMachine] vm_parallels=%d(result=%d)[procIsVmEnv] in1vm_env[procIsVmEnv] out (result:%s)[procIsRemoteEnv] inremote_env[procIsRemoteEnv] out (result:%s)[procIsVmRemoteEnv] invm_remote_env[procIsVmRemoteEnv] out (result:%s)[procIsOfflineMaster] in|bldnum[procIsOfflineMaster] out (result:%s, strBldNum : %s)[CResponseASTx2::procIsNotSupportOS] ak=[%d], fw=[%d], pb=[%d], pcs=[%d]Description[CResponseASTx2::procIsNotSupportOS] QueryDWORDValue lRet=%d, dwDesc=0x%08x[CResponseASTx2::procIsNotSupportOS] %s127.0.0.10.0.0.0ASTX2application/javascript[handleTCPClientSSL] SSL is null
            Source: V3Medic.exe, 00000006.00000003.1823374005.0000000003A24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] calledL
            Source: V3Medic.exe, 00000006.00000003.1848648986.0000000005D70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: serverteamviewervncWM_AKHOOK_SETSTATE\iphlpapi.dllGetExtendedTcpTablesetupapi.dllSetupDiGetClassDevsWSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetDeviceRegistryPropertyWvmicrdvQEMU-GA{4D36E967-E325-11CE-BFC1-08002BE10318}vmwarevboxvirtual hd ata devicewsnm.exeVMware View AgentSOFTWARE\Citrix\VirtualDesktopAgentCitrix\Virtual Desktop AgentWorkStationAgentWorkstationAgent.exebrokeragent.exectxsvchost.exepvsvmagent.exexenguestagent.exeParallels Tools Service%%%result\\.\pipe\session(%d)stsess[requestPIP] Connect failed(errno=%d,%s)[requestPIP] WriteAndBinRet failed(errno=%d,response=%d(%d),%s)rnd{v:%s,s:%s}{method:%d,salt:%d,stamp:%s}dataACKurlstampnorsa{method:%d,salt:%d,norsa:%d,stamp:%s}NCK[procCheckServer] result=%s,method=%dstepcert%dcert[procSetCert] result=%s,nstep=%d[procSetProtect] referer=%scustomeridakfwpbpcs[procSetProtect] customerid=[%s], ak=[%d], fw=[%d], pb=[%d], pcs=[%d][procSetProtect] customerid is invalidNSPfuncdynplycommand[procSetProtect] result=%sncert[procGetData] ncert=%d,norsa=%dcert1cert2pageid[procGetData] result=%s,pageid=%snlogoptbrowseripaddr[procGetPCLOGData] nlog=%d,norsa=%d,ipaddr=%s,browser=%s,opt=%s[procGetPCLOGData] useragent=%suseragent[procGetPCLOGData] result=%s(%.3fs)3stsvrsvr[procE2Estart] svr=%s,url=%s,useragent=%s, browser=%s,pageid=%sEGOTEG0hwnd[procE2Estart] response(%s)[procE2Estart] failed(%s)e2e_focuse2e_blur?[CResponseASTx2::getHost] AfxParseURL error(%d)https://%shttp://%s[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::CheckServer() failed. error=%d[CResponseASTx2::QueryToNzSessPipeServer] CPipeClient::Connect() failed. error=%d[CResponseASTx2::PostAIPScriptInfo] version=%s[CResponseASTx2::PostAIPScriptInfo] url=%s[CResponseASTx2::PostAIPScriptInfo] error=%d[CResponseASTx2::IsProtectedSite] %s, nIsProtectedSite=%d[CResponseASTx2::IsForgeryMonitorSite] %s, nIsScriptMonitorSite=%d[CResponseASTx2::IsForgeryScript] csUrl IsEmpty == true[CResponseASTx2::IsForgeryScript] csUrl=%s[CResponseASTx2::IsForgeryScript] csHost=%s[CResponseASTx2::IsForgeryScript] csObjectName=%s[CResponseASTx2::IsForgeryScript] false, %s[CResponseASTx2::IsForgeryScript] true, %s[procHello] csAgent=%s[procHello] csReferer=%s[procHello] csScriptUrl=%s[procHello] csScriptVer=%s[procHello] IsProtectedSite false - %sastx2.min.js[procHello] IsForgeryScript true - %snoenc[procE2EFormInit] ncert=%d,norsa=%d,noenc=%d[procE2EFormInit] result=%s,pageid=%s[CResponseASTx2::GetResponseData] failed SplitSubData %s/ASTX2/helloalivee2e_alivecheckset_certset_protectget_dataget_pclogis_vm_envis_remote_envis_vm_remote_enve2e_starte2e_inite2e_gettexte2e_settexte2e_cleare2e_stope2e_uninite2e_unloade2e_gethashe2e_forminite2e_formgetis_offline_masteris_not_support_oscallbacktry{%s(%s);}catch(e){}%s(%s)[getCurrentFocusWindowsHandleEdge] less-than WIN10(osver=%d)ApplicationFrameWindow[getCurrentFocusWindowsHandleEdge] pid=%d,hwnd=0x%08X,class=%s
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SOFTWARE\Ahnlab\ASP\MyKeyDefense 2.5CheckDataFile nMode[%d] bRet[%d]IPTip_Main_WindowGetExtendedTcpTable\iphlpapi.dll\StringFileInfo\%04x%04x\%sCompanyName\VarFileInfo\TranslationWorkstationAgent.exeWorkStationAgentCitrix\Virtual Desktop AgentSOFTWARE\Citrix\VirtualDesktopAgentwinvnc.exevboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dllProductModelManufacturerWQLSELECT * FROM Win32_BaseBoardROOT\CIMV2macappleCCheckEnv HasConflictingBoard=%d.CCheckEnv NotSupportOs=%d.CCheckEnv Remote=%d.IsVirtualMachine, dwType=%dLastPolicy@
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMU-GA
            Source: V3Medic.exe, 00000006.00000003.1877125538.00000000067B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .\StSdkSa_Mkd25.cpp[CStSdkSaMkd25::Initialize] module:(%s)[CStSdkSaMkd25::Initialize] GetProcAddress failed:(%s)[CStSdkSaMkd25::Initialize] LoadLibraryEx failed:(%s)[CStSdkSaMkd25::Uninitialize] called[CStSdkSaMkd25::GetObject8A] called[CStSdkSaMkd25::GetObject8W] called.\StSdkSa_Pb.cpp[IAstxSaPbImpl::Initialize] called[IAstxSaPbImpl::Initialize] Running on server OS[IAstxSaPbImpl::Uninitialize] calledIAstxSaPbImpl::StartA[IAstxSaPbImpl::StartA] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartA] return (%x)stsess.exe;stsess32.exe;aupasd.exe;asdwsc.exe;asdup.exe;asdsvc.exe;asdcr.exe;asdcli.exe;akdve.exe;vmtoolsd.exe;sg_oathexe.exe;microsoftedgecp.exe;[IAstxSaPbImpl::StartA] Skip using [HSB] driver[IAstxSaPbImpl::StartA] AhnHS_Start success[IAstxSaPbImpl::StartA] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StartW[IAstxSaPbImpl::StartW] AhnHS_Activate fail, dwError:(%x)[IAstxSaPbImpl::StartW] return (%x)[IAstxSaPbImpl::StartW] Skip using [HSB] driver[IAstxSaPbImpl::StartW] success [IAstxSaPbImpl::StartW] AhnHS_Start fail, dwError:(%x)IAstxSaPbImpl::StopA[IAstxSaPbImpl::StopA] Skip using HSB driver[IAstxSaPbImpl::StopA] Success [IAstxSaPbImpl::StopA] Fail IAstxSaPbImpl::StopW[IAstxSaPbImpl::StopW] Skip using HSB driver[IAstxSaPbImpl::StopW] Success [IAstxSaPbImpl::StopW] Fail IAstxSaPbImpl::SetActivateSubFuncIAstxSaPbImpl::SetEventCallbackIAstxSaPbImpl::SetExOptionA[IAstxSaPbImpl::SetExOptionA] Skip using HSB driverexceptprocesspid[IAstxSaPbImpl::SetExOptionA] protectProcess Ins, ulOption:(%x)IAstxSaPbImpl::SetExOptionW[IAstxSaPbImpl::SetExOptionW] Skip using HSB driver[IAstxSaPbImpl::SetExOptionW] protectProcess Ins, ulOption:(%x)[IAstxSaPbImpl::IAstxSaPbImpl] Running on server OS[CStSdkSaPb::Uninitialize] called[CStSdkSaPb::StSdk_GetPbObject] called
            Source: V3Medic.exe, 00000006.00000003.1778783611.0000000003A58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .\WinEventHook.cpp[CWinEventHook::Initialize] tid(%d) is recycled.[CWinEventHook::Initialze] hwnd=%x, pData->hHook=%08xhHook[CWinEventHook::Initialze] SetWinEventHook failed[CWinEventHook::Uninitialize] pData->m_hHook=%08x[CWinEventHook::Uninitialize] unhook failed, pData->m_hHook=%08x[CWinEventHook::WinEventProcFocus] ByPass, IsProhibited true[CWinEventHook::WinEventProcFocus] CLASS_IE_SHDOCVW ignored, role=%08x, hwnd=%08x[CWinEventHook::WinEventProcFocus] non-client, role=%08x, hwnd=%08x..\Common\ak_controller.cppm_hSession != NULLpByte16 != NULLpIV16 != NULL..\Common\ak_controller.cpppByte != NULLpIV != NULL%d.%d.%d.%d0.0.0.0[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Success[CController::Initialize] MKD2_CRACH_SKEY_CHKANDSTOP Error [0x%08x][CController::Terminate] Mkd2Ctl_Terminate() fail.(0x%08x)[CController::PsPageInInit] Mkd2Ctl_PsPageInInit() fail.(0x%08x)[CController::PsPageInInit] Changed to unprotected mode[CController::PsPageInInit] Mkd2Ctl_AddFilterMode, dwResult=%d[CController::PsPageOutCleanUp] Mkd2Ctl_PsPageOutCleanUp() fail.(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(%ld)dwError == 0[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD20) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD26) error(0x%08x)[CController::SetRule] Mkd2Ctl_Set_Rule_Version(RULE_MKD25) error(0x%08x)[CController::GetKeyActionTable] Mkd2Ctl_Get_Rule_VersionEx error=%d[CController::SetKeyActionTable] GetKeyActionTable error(0x%08x)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld)[CController::SetKeyActionTable] Mkd2Ctl_Set_Rule_VersionEx(%ld) error(0x%08x)[CController::SetAkCtlLogPath] log skipAkCtl.log[CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath szLogPath[%s][CController::SetAkCtlLogPath] Mkd2Ctl_StartSecureLogAndSetPath Failed[0x%08x][CController::PreInitialize] IsVirtualMachine, dwVMType=%x[CController::PreInitialize] Running on server OS. Skip using AK driver
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [CDriverLoaderForVista::SetDriverParam] lRet=%d, dwParam=%x, dwInstallDate=%xParam1SYSTEM\CurrentControlSet\Services\Mkd2KfNtSYSTEM\CurrentControlSet\Services\Mkd3KfNtInstallDateSOFTWARE\Microsoft\Windows NT\CurrentVersion[CDriverLoaderForVista::UnSetDriverParam] lRet=%dvboxvmware{4D36E967-E325-11CE-BFC1-08002BE10318}QEMU-GASetupDiGetDeviceRegistryPropertyASetupDiEnumDeviceInfoSetupDiDestroyDeviceInfoListSetupDiGetClassDevsAsetupapi.dll
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine, dwType=%d
            Source: V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exe
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware View Agentwsnm.exexenguestagent.exepvsvmagent.exectxsvchost.exebrokeragent.exeP
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_UnloadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver bypass.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_LoadDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver leave.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_RegisterDriver enter.[CDriverLoaderForVista::DriverCtrlThreadProc] Mkd2Ctl_StartSecureLogAndSetPath failed[0x%08x][CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop failed. (0x%x)[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop leave.[CDriverLoaderForVista::CreateDriverCtrlThread] WaitLoop enter.[CDriverLoaderForVista::CreateDriverCtrlThread] _beginthreadex failed. %d[CDriverLoaderForVista::LoadDriver] already loaded.[CDriverLoaderForVista::LoadDriver] called.[CDriverLoaderForVista::UnloadDriver] not loaded.[CDriverLoaderForVista::UnloadDriver] called.
            Source: V3Medic.exe, 00000006.00000003.1983606470.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [CDriverLoaderForVista::DriverCtrlThreadProc] IsVirtualMachine, dwVMType=%d
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_101101FA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100151A4 lstrcmpiW,AllocateAndInitializeSid,GetLastError,HeapAlloc,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetLastError,GetFileSecurityW,GetLastError,GetProcessHeap,HeapAlloc,GetFileSecurityW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetAclInformation,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,GetLastError,GetAce,GetLastError,EqualSid,AddAce,GetLastError,AddAccessAllowedAce,GetLastError,GetAce,GetAce,GetLastError,AddAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetModuleHandleW,GetProcAddress,GetSecurityDescriptorControl,GetLastError,GetLastError,SetFileSecurityW,GetLastError,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FB0BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FD98A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1010FF2F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found driver which could be used to inject code into processes
            Source: medvpdrv.sys.6.drStatic PE information: Found potential injection code
            Source: medvpdrv.sys0.6.drStatic PE information: Found potential injection code
            Source: C:\Users\user\Desktop\astx_setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C "ECHO Y| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exeProcess created: C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100151A4 lstrcmpiW,AllocateAndInitializeSid,GetLastError,HeapAlloc,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetLastError,GetFileSecurityW,GetLastError,GetProcessHeap,HeapAlloc,GetFileSecurityW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetAclInformation,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,GetLastError,GetAce,GetLastError,EqualSid,AddAce,GetLastError,AddAccessAllowedAce,GetLastError,GetAce,GetAce,GetLastError,AddAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetModuleHandleW,GetProcAddress,GetSecurityDescriptorControl,GetLastError,GetLastError,SetFileSecurityW,GetLastError,
            Source: V3Medic.exe, 00000006.00000003.2279453834.00000000067A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .\FunctionHook.cpp[HookFunction] Fatal error : Can't add FunctionHookInfo.\FunctionHook.cpp[HookFunction] Can't Hook the %S %p.\FunctionHook.cpp[HookFunction] Can't find the %S's address.\FunctionHook.cpp[HookFunction] Can't get the %S's address.\FunctionHook.cpp[HookFunction] Can't load the %S.\FunctionHook.cpp[FH_FindCodePattern] exception, Failed to find patternuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeuser32.dllUserClientDllInitializeRtlRetrieveNtUserPfnntdll.dllRtlRetrieveNtUserPfnntdll.dllNtQueryInformationProcessntdll.dllNtQueryInformationProcessntdll.dll%02X.\GlobalHookProtect.cppAtsVerifyExternalFile(CAT) - file=[%s], result=[0x%08X].\GlobalHookProtect.cpp[AhnLabSignatureCheckFunc] ptszSourceFile is NULL.\GlobalHookProtect.cppAtsVerifyInternalFile() - file=[%s], result=[0x%08X].\GlobalHookProtect.cpp[AhnClientLoadLibrary] PROTECT >> %sATamptU.dll.\GlobalHookProtect.cpp[AhnClientLoadLibrary] Exception !!ATamptU.dllATamptU.dllATamptU.dllATamptU.dllATamptU.dlluser32.dllgSharedInfo.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] Find_pfnClient Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] FH_HookFunction Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] GetModuleHandleW Failed.\GlobalHookProtect.cpp[GlobalHookProtect_Initialize] Initialize.\GlobalHookProtect.cpp[GlobalHookProtect_Finalize] Finalize.\GlobalHookProtect.cpp[GlobalHookProtect_Start] Start.\GlobalHookProtect.cpp[GlobalHookProtect_Stop] Stopuser32.dllUserClientDllInitializeuser32.dllPeekMessageAuser32.dllPeekMessageWuser32.dllGetMessageAuser32.dllGetMessageWuser32.dllSendMessageAuser32.dllSendMessageWuser32.dllPostMessageAuser32.dllPostMessageWuser32.dllDispatchMessageAuser32.dllDispatchMessageWuser32.dllPostQuitMessageShell_TrayWndDV2ControlHostTaskListThumbnailWndWindows.UI.Core.CoreWindow
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: GetLocaleInfoA,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1010B0DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_1010BB2E __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100FA845 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_memset,GetVersionExW,CreateMutexW,CreateMutexW,CreateMutexW,GetCurrentProcessId,
            Source: C:\Users\user\Desktop\astx_setup.exeCode function: 0_2_100151A4 lstrcmpiW,AllocateAndInitializeSid,GetLastError,HeapAlloc,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetLastError,GetFileSecurityW,GetLastError,GetProcessHeap,HeapAlloc,GetFileSecurityW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetAclInformation,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,GetLastError,GetAce,GetLastError,EqualSid,AddAce,GetLastError,AddAccessAllowedAce,GetLastError,GetAce,GetAce,GetLastError,AddAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetModuleHandleW,GetProcAddress,GetSecurityDescriptorControl,GetLastError,GetLastError,SetFileSecurityW,GetLastError,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            Credential API Hooking            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            System Shutdown/Reboot
            Default Accounts12
            Service Execution            		1
            Valid Accounts            		1
            Valid Accounts            		3
            Obfuscated Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		Exfiltration Over Bluetooth2
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)22
            Windows Service            		11
            Access Token Manipulation            		2
            Software Packing            		Security Account Manager4
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)1
            Services File Permissions Weakness            		22
            Windows Service            		1
            DLL Side-Loading            		NTDS14
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon Script112
            Process Injection            		22
            Masquerading            		LSA Secrets21
            Security Software Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.common1
            Services File Permissions Weakness            		1
            Valid Accounts            		Cached Domain Credentials1
            Process Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items11
            Access Token Manipulation            		DCSync1
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Services File Permissions Weakness            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755221 Sample: astx_setup.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 34 49 webclinic.ahnlab.com.cdngc.net 2->49 51 webclinic.ahnlab.com 2->51 53 2 other IPs or domains 2->53 55 Yara detected GuLoader 2->55 57 Yara detected AntiVM3 2->57 59 Found driver which could be used to inject code into processes 2->59 61 May modify the system service descriptor table (often done to hook functions) 2->61 9 astx_setup.exe 64 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\V3Medic.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\asdahc.nz, 7-zip 9->35 dropped 37 C:\Users\user\AppData\Local\...\Update.nz, 7-zip 9->37 dropped 39 30 other files (27 malicious) 9->39 dropped 63 Writes many files with high entropy 9->63 13 V3Medic.exe 23 503 9->13         started        17 cmd.exe 1 9->17         started        signatures6 process7 file8 41 C:\Program Files\AhnLab\...\medvpdrv.sys, PE32+ 13->41 dropped 43 C:\Users\user\AppData\Local\...\tnnipsig.rul, data 13->43 dropped 45 C:\Users\user\AppData\Local\Temp\...\msg.dat, data 13->45 dropped 47 287 other files (10 malicious) 13->47 dropped 65 Writes many files with high entropy 13->65 19 SysX64.exe 1 13->19         started        21 SysX64.exe 1 13->21         started        23 conhost.exe 17->23         started        25 cmd.exe 1 17->25         started        27 cacls.exe 1 17->27         started        signatures9 process10 process11 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            astx_setup.exe2%ReversingLabs
            astx_setup.exe1%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ASDi.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ATampt.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Ark64.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\AupASD.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Av.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe2%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Core.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90DEU.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ENU.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESN.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ESP.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90FRA.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90ITA.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90JPN.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90KOR.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\NzBrcom32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\NzInst32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\ScrMon32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\StCtl32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\StSdk32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\StSess32.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\aostrust32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\libacm.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\mfc90u.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcp90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\msvcr90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\Nz32\powapi32.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\NzBrcom.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\NzInst.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\NzPlugin.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\PdCfg.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SCTX.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25def.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\mkd25sdk.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\msvcr90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd2564.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25def64.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\mkd25sdk64.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\SDK\AK\x64\msvcr90.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StCli.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StCtInst.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StCtl.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StSdk.dll0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StSess.exe0%ReversingLabs
            C:\Program Files\AhnLab\Safe Transaction\StSvr.dll0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.3.V3Medic.exe.5b54600.7.unpack100%AviraTR/Patched.Ren.GenDownload File
            6.3.V3Medic.exe.5ab0000.5.unpack100%AviraTR/Patched.Ren.Gen7Download File
            6.3.V3Medic.exe.6065a80.14.unpack100%AviraTR/Crypt.XPACK.Gen8Download File

            Domains

            SourceDetectionScannerLabelLink
            webclinic.ahnlab.com.cdngc.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://www.certifikat.dk/repository00%URL Reputationsafe
            http://www.certifikat.dk/repository00%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
            http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
            http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://www.sk.ee/cps/00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://ocsp.pki.gva.es00%URL Reputationsafe
            http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
            http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
            https://www.catcert.net/verarrel0%URL Reputationsafe
            http://www.disig.sk/ca0f0%URL Reputationsafe
            http://www.sk.ee/juur/crl/00%URL Reputationsafe
            http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
            http://www.firmaprofesional.com00%URL Reputationsafe
            http://www.pkioverheid.nl/policies/root-policy-G200%URL Reputationsafe
            https://www.netlock.net/docs0%URL Reputationsafe
            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl0%URL Reputationsafe
            http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
            http://sourceforge.jp/projects/lha/0%Avira URL Cloudsafe
            http://www.valicert.com/10%URL Reputationsafe
            http://www.aescrypt.com/0%Avira URL Cloudsafe
            https://ocsp.quovadisoffshore.com00%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
            http://javascript.nwbox.com/IEContentLoaded/)0%Avira URL Cloudsafe
            http://www.phreedom.org/md5)MD50%Avira URL Cloudsafe
            http://www.phreedom.org/md5)0%Avira URL Cloudsafe
            http://broofa.com/0%Avira URL Cloudsafe
            http://sourceforge.jp/projects/lha/0%VirustotalBrowse
            http://www.phreedom.org/md5)00%Avira URL Cloudsafe
            http://gladman.plushost.co.uk/oldsite/AES/index.php0%Avira URL Cloudsafe
            http://%1/CertEnroll/%1_%3%4.crtfile://0%Avira URL Cloudsafe
            http://www.phreedom.org/md5)1%VirustotalBrowse
            http://www.aarongifford.com/0%Avira URL Cloudsafe
            http://%1/CertEnroll/%3%8%9.crlfile://0%Avira URL Cloudsafe
            http://wakaba.c3.cx/s/apps/unarchiver.html0%Avira URL Cloudsafe
            http://www.bzip.org/downloads.html0%Avira URL Cloudsafe
            https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.do0%Avira URL Cloudsafe
            https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%80%Avira URL Cloudsafe
            http://www.winace.com/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webclinic.ahnlab.com.cdngc.net
            		101.79.212.66
            		truefalseunknown
            gms.wip.ahnlab.com
            		34.249.110.217
            		truefalse
              		high
              webclinic.ahnlab.com
              		unknown
              		unknownfalse
                		high
                gms.ahnlab.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.chambersign.org/chambersroot.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://gactivation.ahnlab.com/api/auth/v1/activate/relayV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.certifikat.dk/repository0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.chambersign.org1V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.compression.ru/ds/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.pkioverheid.nl/policies/root-policy0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://repository.swisssign.com/0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://www.info-zip.org/pub/infozip/license.html.V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://jp.ahnlab.com/site/support/qna/qnaAddForm2.do;V3Medic.exe, 00000006.00000003.1486462149.0000000000611000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://mgactivation.ahnlab.com/api/auth/v1/activate/clientV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.phreedom.org/md5)MD5V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ca.disig.sk/ca/crl/ca_disig.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://sourceforge.net/p/infozip/patches/18/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://yuilibrary.com/license/V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.certplus.com/CRL/class2.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.disig.sk/ca/crl/ca_disig.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sk.ee/cps/0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://sourceforge.jp/projects/lha/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://json.org/).V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://policy.camerfirma.com0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://mgactivation.ahnlab.com/api/auth/v1/activate/relayV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ocsp.pki.gva.es0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.phreedom.org/md5)V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.oces.certifikat.dk/oces.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://github.com/necolas/normalize.css/V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.certicamara.com/dpc/0ZV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.pki.wellsfargo.com/wsprca.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://mgactivation.ahnlab.com/api/auth/v1/activate/relayhttps://mgactivation.ahnlab.com/api/auth/vV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://javascript.nwbox.com/IEContentLoaded/)V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.aescrypt.com/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://nsis.sf.net/NSIS_ErrorErrorastx_setup.exefalse
                                                		high
                                                http://broofa.com/V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.symauth.com/cps0(V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://acedicom.edicomgroup.com/doc0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://mathiasbynens.be/V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.rarlab.com/rar_add.htmV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://code.bandisoft.com/V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://gactivation.ahnlab.com/api/auth/v1/healthcheckV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://opensource.ahnlab.comV3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.entrust.net/CRL/net1.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://site.icu-project.org/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.catcert.net/verarrelV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.disig.sk/ca0fV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.e-szigno.hu/RootCA.crlV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.symauth.com/rpa00V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sk.ee/juur/crl/0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://crl.chambersign.org/chambersignroot.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://crl.xrampsecurity.com/XGCA.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.7-zip.org/sdk.htmlV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.info-zip.org/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.quovadis.bm0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://github.com/wycats/handlebars.jsV3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.trustdst.com/certificates/policy/ACES-index.html0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.firmaprofesional.com0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.openssl.org/)V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.pkioverheid.nl/policies/root-policy-G20V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://mgactivation.ahnlab.com/api/auth/v1/healthcheckV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.netlock.net/docsV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.phreedom.org/md5)0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://crl.entrust.net/2048ca.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://gladman.plushost.co.uk/oldsite/AES/index.phpV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://%1/CertEnroll/%1_%3%4.crtfile://V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  http://www.aarongifford.com/V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://fedir.comsign.co.il/crl/ComSignCA.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://ocsp.sectigo.com0V3Medic.exe, 00000006.00000003.2143577905.0000000006AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://ocsp.entrust.net03V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://cps.chambersign.org/cps/chambersroot.html0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.firmaprofesional.com/cps0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://%1/CertEnroll/%3%8%9.crlfile://V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		low
                                                                                    http://wakaba.c3.cx/s/apps/unarchiver.htmlV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://crl.securetrust.com/SGCA.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl0V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://code.bandisoft.comV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.securetrust.com/STCA.crl0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://mozilla.org/MPL/2.0/.V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.bzip.org/downloads.htmlV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://download.ahnlab.com/down/ahnreport/AhnRpt.exeV3Medic.exe, 00000006.00000003.1378099121.0000000003240000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://crl.thawte.com/ThawteTimestampingCA.crl0V3Medic.exe, 00000006.00000003.1420382575.0000000004040000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2201964543.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1997387941.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1759759379.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1885537209.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1963764220.0000000000629000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1929338565.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1856686596.000000000608F000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2270494586.0000000006597000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1758039315.0000000000627000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.2210361972.000000000062D000.00000004.00000020.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1855415087.0000000006012000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.e-szigno.hu/RootCA.crt0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.quovadisglobal.com/cps0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://ncompress.sourceforge.net/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.wavpack.com/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.doV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.valicert.com/1V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmp, V3Medic.exe, 00000006.00000003.1577088768.0000000000620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://gactivation.ahnlab.com/api/auth/v1/activate/clientV3Medic.exe, 00000006.00000003.2127012435.000000000389C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.e-szigno.hu/SZSZ/0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%8V3Medic.exe, 00000006.00000003.1591414722.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		low
                                                                                                          https://github.com/wycats/handlebars.js)V3Medic.exe, 00000006.00000003.1527249058.0000000005AB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://ocsp.quovadisoffshore.com0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://ocsp.entrust.net0DV3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.winace.com/V3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://cps.chambersign.org/cps/chambersignroot.html0V3Medic.exe, 00000006.00000003.1599622384.0000000005F9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://mattmahoney.net/dc/zpaq.htmlV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.zlib.net/zlib_license.htmlV3Medic.exe, 00000006.00000003.2056642457.0000000005AB1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                No contacted IP infos

                                                                                                                General Information

                                                                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                Analysis ID:755221
                                                                                                                Start date and time:2022-11-28 13:40:01 +01:00
                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                Overall analysis duration:0h 12m 3s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:light
                                                                                                                Sample file name:astx_setup.exe
                                                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                                                                                                                Number of analysed new started processes analysed:19
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • HDC enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Detection:SUS
                                                                                                                Classification:sus34.rans.troj.evad.winEXE@16/713@3/0
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 50%
                                                                                                                HDC Information:Failed
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 0
                                                                                                                • Number of non-executed functions: 0
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
                                                                                                                • Created / dropped Files have been reduced to 100
                                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, ctldl.windowsupdate.com
                                                                                                                • Execution Graph export aborted for target V3Medic.exe, PID 6624 because there are no executed function
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                • Report size getting too big, too many NtWriteFile calls found.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                No simulations

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                No context

                                                                                                                Domains

                                                                                                                No context

                                                                                                                ASNs

                                                                                                                No context

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):110904
                                                                                                                Entropy (8bit):5.727949815668744
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:h9eJxJSRE87TODAFI7c2Hnye0JoWV/cw/L:brRE87K0F4jYoWpx
                                                                                                                MD5:ED19F652BB5A53BA04EFEDD277808D44
                                                                                                                SHA1:27C2C3F47048557E8241B86F9A41FF87CA496BB1
                                                                                                                SHA-256:03E94DBCC74E14927EB77361C98513464CD36797E2C99A47EAD5ACD2F270697C
                                                                                                                SHA-512:BC2902186FB7F6AE4225FADF8DE4EF170C5078CE77AF701080752A52B07E68926AFABA68B7145B3063D0AAF5320953E8782B8BC19C3668B5A8EA34C2DB51F730
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4..4..4..BL.3..BL.6..BL.?..4..O..BL.'..BL..5..BL.5..BL..5..Rich4..................PE..d.....Mb.........." .....2...........=..............................................]4......................................................X...x....p.......`..........8#......l....T...............................................P...............................text...^0.......2.................. ..`.rdata...@...P...B...6..............@..@.data...0............x..............@....pdata.......`.......z..............@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):76744
                                                                                                                Entropy (8bit):6.278803320665906
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:z/AIFd4bP9qNlbMLoGGRnNFzp47dal4MW:z/9d4L9Q2LoGWbiIaz
                                                                                                                MD5:6DAEEDE536374A5A1106D140EB39E36B
                                                                                                                SHA1:00CD82052C3FFE6E8CC59488FDFA34FA21B65334
                                                                                                                SHA-256:E51FC1DC8FEEBF82F2A197E88001787986239A29B984A24BF9B7C74C8C2D7248
                                                                                                                SHA-512:AF74D2FBA0E2657DED5873F5EF9FC2384ED98774530F7478848076AD902ABFC66C151A402A9D263FD8B8B1CE22EA70439E7B0E54750BD5F57DE2FB6FF19D6F64
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."<..f]..f]..f]..f]..;]......e]......d]......c]......h]....d.g]......g]..Richf]..........PE..d......b.........."..........&.................@.............................0....../.....`.....................................................(........................O... ..8.......8............................................................................text.............................. ..h.rdata..T...........................@..H.data...p...........................@....pdata..............................@..H.gfids..............................@..HINIT....|........................... ..b.rsrc...............................@..B.reloc..8.... ......................@..B........................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark32.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "Ark32.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11028
                                                                                                                Entropy (8bit):7.623917073492213
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:ZgvhIYiYF82M34qFIwUtmWJfsHR9y2sE9jBFL2UzZQHn4M:Zg5IYitvUtm4i/8E9VFL2UtQH4M
                                                                                                                MD5:727F84AF01A30962FE25ECE73B37814D
                                                                                                                SHA1:01A8AA51443BEA3424FCC6EEDACBD1031EFB8E13
                                                                                                                SHA-256:BF5E2C43BBF220809EF7FEAA96DA5AFEA2A15B4845005E569260D4B3C913CB7B
                                                                                                                SHA-512:9EB0628AA88D91C8CA7B01FAE619355ED38B4B7A952539865ADA5D20A1B91874DEF396D16BD8C95109D13BBB40AC7999D240C37C4786CFE89796E80070600A3D
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................h*..........b.......B..........T.m`.Ark32.dll.ahf..[<.B.B.2,2ABE06494F086D08F1B589DA910374C770089728B32EE339ADE57456A74F08B10.*d..*.H........*U0.*Q...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ..w+4..H..p..F.u.p..7......OUD..010...`.H.e....... oy.9\..f_..Ac.....g.<..i...;..t.....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8......

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark32lgplv2.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 178 bytes, 1 file, at 0x44 +AX "Ark32lgplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11034
                                                                                                                Entropy (8bit):7.629657496141642
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:1FIYiYF82M34qFIwzKJalQWJfsHR9y2sE9jBFL2UzZE4si:1FIYitvzKJalQ4i/8E9VFL2UtE+
                                                                                                                MD5:576669DA46F870202AAF654901A676AF
                                                                                                                SHA1:E06726A8432D53D0C093C8AB956D0C777E196C1C
                                                                                                                SHA-256:C122C70BF9CF551C59DF532D852DDB752E51ACBFBEE92DE9B72C5F400115F6AF
                                                                                                                SHA-512:14ADA27D5A70ACE63FC6E9B4DFAD15AE7B7BD540F800962331BC97D8A225C4C4498FAC6E782BE24B6A8E057ADE985EA194F6BAB5818CDC6960FEA0BC9777EB5A
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................h*..........h.......B..........T.m`.Ark32lgplv2.dll.ahf..(HqB.B.2,858021E41BD9E1745E03734747EA69AC814A0E28F7021405E680FCAF8D5308070.*d..*.H........*U0.*Q...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". .N,......R.........5.1....%..u.010...`.H.e....... ...s..-@VD.`..}..5..G.k &.@.%..|....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "Ark64.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11028
                                                                                                                Entropy (8bit):7.624446104806095
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:07IYiYF82M34qFIwl7LaLWJfsHR9y2sE9jBFL2UzZEi:07IYitvl7+L4i/8E9VFL2UtEi
                                                                                                                MD5:7316D2E214A0FD1F5D92AC078A42E266
                                                                                                                SHA1:36C89819F48F4189323A9D4737B28C4F35D9CD3C
                                                                                                                SHA-256:4EA96C4A3137365CE507D7D89C690ACF6B1DC97FD92A102128A80FC45512AE09
                                                                                                                SHA-512:712F097902573F80066313BB025C59AB1B2BEA6CCE42B55315F5162BB104FB92E2ECCC7F23C227504782037D45D11EB421D1FF150B5E3EBC361E1E02A3E79553
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................h*..........b.......B..........T.m`.Ark64.dll.ahf.~YG.B.B.2,CE5F64E3308E8AAFB8FA3DC77652949EE0E1F40FCB6133CFB0AC63D1B934A3D80.*d..*.H........*U0.*Q...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ..w+4..H..p..F.u.p..7......OUD..010...`.H.e....... .(..9U.0..e.....Jn.32.!....f.....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8......

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64a.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 173 bytes, 1 file, at 0x44 +AX "Ark64a.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11037
                                                                                                                Entropy (8bit):7.622721528183033
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:ujPIYiYF82M34qFIkeuLJ0gaOWJfsHR9y2sE9jBFL2UzZsRn:ubIYitvNLF4i/8E9VFL2UtsR
                                                                                                                MD5:C89A3327D1023B1046DADB9EF38A9CC4
                                                                                                                SHA1:98DABA53F58F0E2690F9668693A55404F629A1EF
                                                                                                                SHA-256:B4ED00F58E44BC656FB90A29DB71B563728ADD5166014DAA883C2B8CDC5DCAE1
                                                                                                                SHA-512:513CE80768E457EC4978D49EE998AFB0199A2582CB64748466DDA16592B72BCD7CA41FA3C6B0AF959B89B93ED9AFD350505C7857CD02CAB3FE446D132CFE9FC1
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................p*..........c.......B..........T.m`.Ark64a.dll.ahf..YE.B.B.2,4EE688FFA25A96387C68745D010D10E4BEECBB3027BC3285B484EFCA0124DC4C0.*e..*.H........*V0.*R...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". %yn..M%Yu.W..8..]t.EZK.....u.\010...`.H.e....... ..."....R.%.s'O......tL...3..Q......0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8.....

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64algplv2.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 179 bytes, 1 file, at 0x44 +AX "Ark64algplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11035
                                                                                                                Entropy (8bit):7.627543987594771
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:B1+IYiYF82M34qFIwFbrEw8WJfsHR9y2sE9jBFL2UzZAee2:B1+IYitvFHB84i/8E9VFL2UtAee2
                                                                                                                MD5:1D2B7AB2A3BEB4160DAA0203D6407FC9
                                                                                                                SHA1:B0EA2F1986C485AE390F58C08B4740D96EE02512
                                                                                                                SHA-256:E7DD82367FF8A66570EAB691EAFEBCB5FA4C175A390315B5517E948F79F806B5
                                                                                                                SHA-512:760D5BD9198089AEE5A54AC26FCC579D6AB688ED9A4C260FBB2C88781932029C4E7E986C68198C692AC320A07F74EC2EDE03B18B7295C38834753CE01E5160AB
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................h*..........i.......B..........T.m`.Ark64algplv2.dll.ahf.}W6.B.B.2,8A89C31218BCDFDA742BCF489D2E51DA0392E941FFF1E331D99B5DB718B847B30.*d..*.H........*U0.*Q...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...M.X|../f..6.8.!...hH....T..b010...`.H.e....... ..JA..@....].I....U...t.T....:2.....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64lgplv2.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 178 bytes, 1 file, at 0x44 +AX "Ark64lgplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):11034
                                                                                                                Entropy (8bit):7.620996950141226
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:wNIYiYF82M34qFIwp69sWJfsHR9y2sE9jBFL2UzZhMX9G/:wNIYitvp69s4i/8E9VFL2UthMtw
                                                                                                                MD5:BC626499AF7D3F09723B76BB27304C1D
                                                                                                                SHA1:AABD8E8FA72A6EB2864F0107E2B12433FAF4B71B
                                                                                                                SHA-256:38D2E303FE97AE694F9C993736DB5B791CB523F81C095B475889022832C727EC
                                                                                                                SHA-512:B3036E353118D9FF15B7BCEDD2C6BBC2F0A59CC69536D623F0ACC53222D755627BC4AC111E697BC58A11030C3D792A3D0C42857156D117E38BCF95179322C332
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................h*..........h.......B..........T.m`.Ark64lgplv2.dll.ahf.yWG.B.B.2,B058BB04AD2695FDED14F06CD800D686B047C605F824287ADD2BD4EC36C18F3B0.*d..*.H........*U0.*Q...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". .N,......R.........5.1....%..u.010...`.H.e....... ..-.|.<......^....&{..ki...Z4.....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcp90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10982
                                                                                                                Entropy (8bit):7.630453563750433
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:6IYiYF82M34qFIIauV+noPOJB3hy2sE9jBF0NyPIjwlKpE:6IYitv6jPxh8E9VF0NyP+YKu
                                                                                                                MD5:7477778473856EF6AB1A747658FFA704
                                                                                                                SHA1:CEF501CE9BB0948B91EF33D999C5221D432D8F24
                                                                                                                SHA-256:06D2088C3C3D4D31ADED1B7E98398869F36D12235072B3308184A65177104FCC
                                                                                                                SHA-512:A8BDE84DB21C5CF033807B7E9E20B2934C058C02DDFA707D42849BD9CBAAEA3E485934B8ED45063A58145B2022623533938FA9C54F571440F0E96CD09CC04B25
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........d.......*.........DU.`.msvcp90.dll.ahf..V[.*.*.3,671F007C30C1C0D2D847465AD3FF72A2649825F90.*F..*.H........*70.*3...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". Zfw4.{e.\M...aHPK.x....:......C010...`.H.e....... l..,$/.I."5...wSph2q.a....4.F|I....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcr90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10982
                                                                                                                Entropy (8bit):7.636438381503087
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:nIYiYF82M34qFI2PO9BT8+noPOJB3hy2sE9jBF0NyAelnivhka1:nIYitv7W9BThPxh8E9VF0NyAGn+hka1
                                                                                                                MD5:5A5824134E91A727AB73ABF5F50DC440
                                                                                                                SHA1:D125B71DF4EA4C4861D104DECF2A2ACDDCF123E5
                                                                                                                SHA-256:35E8F87634978ECF6EBEB7C4D380936E757A1B1843464AFE4D093C84C8A41580
                                                                                                                SHA-512:490D645983D9087F295E74E68B0FBFB1258500FAF39E0739B18116601E0326E824657B581E0DD88B05172D57EAB53F58DAF98FEBA1A5E2DA4E614785E1C33D45
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........d.......*.........DU.`.msvcr90.dll.ahf.jQ .*.*.3,553D6AAE83B2593DB866C7F9EF34A96187F6906C0.*G..*.H........*80.*4...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". Zfw4.{e.\M...aHPK.x....:......C010...`.H.e....... ......%..Vw....7kh.%pQg;E..R.......0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcp90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10982
                                                                                                                Entropy (8bit):7.638792345823077
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:wIYiYF82M34qFIIGEyWE+noPOJB3hy2sE9jBF0NyYjl8kr:wIYitvmE5Pxh8E9VF0NyYpRr
                                                                                                                MD5:E7244F5137B83C216A283DF04AAF8C6F
                                                                                                                SHA1:3252CA7EE9F2E148B644C856A737D32EC8FAC5CD
                                                                                                                SHA-256:4AFD857285741CD8662635011FECC610BF93449F9BB4D2AE8B46E505E0FF8A88
                                                                                                                SHA-512:100192C77B0ACC798C31DFD9A1CCFC001E476260C2F7868BED405F4AF199D104133655881CD5BAA47F2513BEE23EFC3D0D3B1EB0EBFBD4825A47823E344B9007
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........d.......*.........DU.`.msvcp90.dll.ahf.k$,}*.*.3,8D36B383C7BC9186E18F59D6019FBF6865BB2F420.*F..*.H........*70.*3...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". Zfw4.{e.\M...aHPK.x....:......C010...`.H.e....... ..Y..4.....:{.<f.[J...L.-s....k'....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcr90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10982
                                                                                                                Entropy (8bit):7.62718970276648
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:IJHIYiYF82M34qFI2P8kLP+noPOJB3hy2sE9jBF0NynXl6FLG:IVIYitv7kkLGPxh8E9VF0NynV6hG
                                                                                                                MD5:3EEDBECC41F04E495F3DF817F0161CF0
                                                                                                                SHA1:A4F7FD7656092B530F9A87AF37BB9AC5FE833643
                                                                                                                SHA-256:1507D929CE32200392EEE068FA9DE591707D62FED06ED483E4BB9F1BF062CE87
                                                                                                                SHA-512:8AADCAFFD5F07647DEC67D909193B49BAA38E9F35783AD30623CE43F8B0E7D2B6948E70C6A609B2C9B638D0FD44CB46FE89DB80165C2C21D9721E03BDDEF06C6
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........d.......*.........DU.`.msvcr90.dll.ahf.c]T.*.*.3,12AA00E9B45760E2DB8F9DDB0F6924CE6C7AB4500.*G..*.H........*80.*4...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". Zfw4.{e.\M...aHPK.x....:......C010...`.H.e....... ...'..3 p...lUa.....|....8]......0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\asdf.sld.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 171 bytes, 1 file, at 0x44 +AX "asdf.sld.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):15811
                                                                                                                Entropy (8bit):7.4572255711379585
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:y4y7wa+pY0RFXRKOBxQUeyt/p23+r/jLVY:hyU1fDBzRp23+zja
                                                                                                                MD5:59402821A9760D1789FDD15DE3E0EEAC
                                                                                                                SHA1:8EBDA649BBC7E258DBA0515E09B6799276AAB20F
                                                                                                                SHA-256:E97B7598A62230BA2543169A107410775BABD83602F6AB13D384487427D7B7B1
                                                                                                                SHA-512:C1334EAFA8204D61650D958FB7876DDF785514FD51E5D82E97106EA213AEB9B38A0369A05AFF57B3EEA964639748DD6C8943F751C713B5D94565290D8C0752BE
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D................................=..........a.......B..........Q.u`.asdf.sld.ahf..&K.B.B.2,C06138DD09D44A59EFCC8C603310E7A26A0761E6FD5C5DEB1C52C06ECF0F402B0.=...*.H........=.0.<....1.0...+......0...+.....7....q0o0J..+.....7....<.......$f.....`..(1&0$..+.....7...1...|$#..{L..H..{.ka....0!0...+........K..RX..........M.....O0...0................/N.R.0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...110413100000Z..280128120000Z0R1.0...U....BE1.0...U....GlobalSign nv-sa1(0&..U....GlobalSign Timestamping CA - G20.."0...*.H.............0..........e..W..S.4.....G.j..[..'.4.........Anf....dZF/...w..\.".jg...t.O..R.[.G.....e>..0Erm9..6....O....1.a..b.@..................Yxw...RkP.)....e.`a"...2..Q....0...........l.z....b'_o.m8t.......L...}J&..V....S.t...h.`.. .....t..).b.G...S....;.p~.%........0..0...U...........0...U.......0.......0...U......F.>.........j....0G..U. .@0>0<..U. .0402..+........&https://w

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\asdsr.dat.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "asdsr.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8188
                                                                                                                Entropy (8bit):7.318627564911616
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:/5B9Y+YZTY/9Zvc3FUNBdtH2QLqY2DsQtPuohMVHpYn2GWmoTWYu3JUfhdyEi7Z+:OLZscF8Bd1LLvCs1iYH+2zmqWBZH7uD3
                                                                                                                MD5:3432003637F74064E8C0AEB34B583D93
                                                                                                                SHA1:17CD3FEC9BDFF1F4635F9349ADA7A9FC4D40B3D7
                                                                                                                SHA-256:783BF091384FB7217F4D7163757E26771685A90BBE9A152F97961C186243F844
                                                                                                                SHA-512:88EAEE5AC4424729A23358BCC22E40398F84B09C3DDE16E78117FFF9C9D9DA7031C03AE7B4FE06BB0EC1209F9002A9AADDE073DB6D4E574073A581C71BD5ECD6
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P...........b.......B.........*T.{`.asdsr.dat.ahf.._3xB.B.2,6F6AA9AAE8006DD2B9767E1AE311A171F5423EEDF7B6BA60B418532F7AD95E110..I..*.H.........:0..6...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ..w+4..H..p..F.u.p..7......OUD..010...`.H.e....... ...|V....-..040...p /%#...`.........0...0............._:....x...G\0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert High Assurance EV Root CA0...120418120000Z..270418120000Z0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert EV Code Signing CA (SHA2)0.."0...*.H.............0.........S......d.....5...,..,..:5.:...W..../.H<..n.".Qya.C/....I1.DX>.....O#~.le$.U>..#|.B..zbE.}.ct.c%.....EO.}....u..........>.E.z..X.64.+.+1Xf.2....R...>.v.@Z..j=.K.v..\.6...0.L...*XA......... "v.^T8.b..p$...p.d..-....!.l...{.P...6.\..J...9y..=:.%........X0..T0...U.......0.......0

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\ckwcfg.dat.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 173 bytes, 1 file, at 0x44 +AX "ckwcfg.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10973
                                                                                                                Entropy (8bit):7.633731182014498
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:Y1NIYiYF82M34qFIorR/WJfsHR9y2sE9jBF0Nyme4/UeBsqsz:Y7IYitvDx4i/8E9VF0NymNe7
                                                                                                                MD5:CDC7A449223FAF260A7B0B097EA3CCBE
                                                                                                                SHA1:58AC6CE0B0F96AE17D1416FB66F9FD798965D431
                                                                                                                SHA-256:057A96FD975F0D59915BAEA184586D3913EEF2E298449100096A232A08D57B63
                                                                                                                SHA-512:1F64CA3E452A1FC2D216B292BCFF66B86185A5088A8B83DA040477678C5E4302D403E39B59AF3D9B2C1606D721D8F15FE4FC504FCA4B0A8F5BA0B55FE3E2F3F8
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................0*..........c.......B..........U..`.ckwcfg.dat.ahf.~&=qB.B.2,84362862A9E8E036D773D7F52EBF54E5E26B184A28AC2977A7B4A8FDA08FC14C0.**..*.H........*.0.*....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". %yn..M%Yu.W..8..]t.EZK.....u.\010...`.H.e....... q......(.6..2..+~(...D.U k..zb....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8.....

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\drvinfo.ini.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 174 bytes, 1 file, at 0x44 +AX "drvinfo.ini.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10974
                                                                                                                Entropy (8bit):7.628058048904563
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:aIYiYF82M34qFIoT+gD+NiWJfsHR9y2sE9jBF0Nyr7PM:aIYitvL+g6Ni4i/8E9VF0Nyr7PM
                                                                                                                MD5:320DE6406D07F4616E4CD997A295FFB2
                                                                                                                SHA1:FDF211A5B96BEBADCB83CE74C87E20D7A9B75E8B
                                                                                                                SHA-256:85E2E0C5DD208DE530B61D3F3FB5975F149A2AE8B4C9C5F20EF4DD8ADC8372A7
                                                                                                                SHA-512:3D8C24B75E76A61C20FCB59FC7AF5A02D0A0369E7119DDA957EEF31A2C318F134B2B4BC5FB8EBF4BBF43A53173E40B4DE239F3019317A6289E5E3D40C4E2C882
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................0*..........d.......B..........U..`.drvinfo.ini.ahf.xWN.B.B.2,8DAE59F22A89D386BAAB97BDD2F09CC3AC7086CB8E9A4F5FB00BD52F2BDC04470.**..*.H........*.0.*....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". I.|.r\..s#Q.....!-.).6...... +..010...`.H.e....... .J.&y.....@.j.Q(>.....B..3z.......0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8....

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "product.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10982
                                                                                                                Entropy (8bit):7.626235361793961
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:v/IYiYF82M34qFIIY0GV+noPOJB3hy2sE9jBF0Nya6lxwR:3IYitv40PPxh8E9VF0NyaqxwR
                                                                                                                MD5:2974E661965343BE2631CBA747AC2622
                                                                                                                SHA1:414842297E6C1804E272A7EC7E938698A93630FC
                                                                                                                SHA-256:BAC9573933158C513ACCC5198D66D12F400408D803B3D69467D8E097901C6AAF
                                                                                                                SHA-512:E62C1960746EDE5BDE62D56520C1824F6F34223584718161D3E4F6A6E1117D6F4DCB152811C5E2C0A76FBF75B4CEC3552EB7AEFC54D5BACCB72DD995C35E5DED
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........d.......*.........DU..`.product.dat.ahf..'P~*.*.3,2CAF1D09A54F4EA21FE06258A81FE3DC8D8872560.*F..*.H........*70.*3...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". Zfw4.{e.\M...aHPK.x....:......C010...`.H.e....... ...V..^..@.~....>.Y.G..>.b..#....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):174104
                                                                                                                Entropy (8bit):6.091677837548821
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:LQt0KzIz50IQkKPB+Pyz3L2YJ7Ssamp+7QF6zxNRx5ejJJVEN2L1FA4:LcRLLiU2YJWsf8bejJwG
                                                                                                                MD5:31C67060D0B9AAE5C7DFF17EE79996E4
                                                                                                                SHA1:133DEF015F0E64EFC31C55B3CF36FD2404911937
                                                                                                                SHA-256:F7A7059CC4485067B6517DCBAA4239DEC8294017E50791966E06EAF5F90CE5D6
                                                                                                                SHA-512:72C0EB5C9D87593E32FE34934E138D1152CEFD335D4AE9883F04A4CF88EF864F6303B62CEB9BA976B88C6F97B75B36AFAD4FB0EB0C8E671039B0576DC11E12D0
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........yL..."..."...".~m\...".O..".Y..."...#..".L..."._...".^...".Z...".Rich..".........................PE..d......b..........#...........................@......................................R.......................................................R..(...............\....~...*..............................................................(............................text...>........................... ..`.rdata..............................@..@.data....h...`.......D..............@....pdata..\............`..............@..@.rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):28416
                                                                                                                Entropy (8bit):5.965375645303923
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:c3nkC0P0sL1O0znXoClBwPYNkmLDEMjFrg6hhZsHLAbhrc:AULw0kPwNhEM1gECqhg
                                                                                                                MD5:7CDBC107A646C1B9852C7B5730BF87C0
                                                                                                                SHA1:F8ACFB2CC9EA88521A6630C3286B16CB527EDB8D
                                                                                                                SHA-256:77CDB6B95CC6D1F4A83E306A6EE0A5BDF907D27435F96AC43D181E522DB968BC
                                                                                                                SHA-512:BA9574454335447635C3E0D9CAC1983A7DCA697FCE58A0A81F33B713FE5B8ED592C9D969606BEB24E2057D47479837F52EE7E020EFD9FA1C78DB30102A5666FC
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1`2.P.a.P.a.P.a.sa.P.a.P.a.P.a.ua.P.a.ca.P.a.ta.P.a.|a.P.a.ra.P.a.va.P.aRich.P.a........................PE..d....w.`.........." .....B..........,E........@..........................................@..........................................P.......K..d............p..d....R..................................................................h............................text....A.......B.................. ..`.data........`.......F..............@....pdata..d....p.......H..............@..@.rsrc................L..............@..@.reloc..$............P..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.cat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8421
                                                                                                                Entropy (8bit):7.22148801908308
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:nX6H320oECl6EBmMBWJdZ2Mf5rfoEXpBjSou:nq7m8SmJdZ2OfXXpBjhu
                                                                                                                MD5:E9BDC36F448FCC137B9B18A37E8BF9B5
                                                                                                                SHA1:86E81D59DED13EE3532438DBF2903053B0550C43
                                                                                                                SHA-256:E6960D20598A27B8154B75AB9BE5DD8186E5D38CCD720ABD48CCB1A76334C20B
                                                                                                                SHA-512:8CB667AB6AB32AADF6DA68A87CC2B9A9D6205E25EDD7D6274BF7E17100E2A7E031ED9676B89619CB9192F5AB9E2F4D8E2CD97933DD73591A1D40E4D9077A0F3A
                                                                                                                Malicious:false
                                                                                                                Preview:0. ...*.H........ .0. ....1.0...+......0.....+.....7......0...0...+.....7..........jK....M.....190704061909Z0...+.....7.....0...0....R0.D.8.A.7.B.E.C.5.F.A.B.C.9.2.B.C.6.5.A.6.6.6.D.E.E.C.7.C.0.7.3.0.C.9.8.A.D.9.F...1..)0<..+.....7...1.0,...F.i.l.e........a.m.o.n.l.w.l.h...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0E..+.....7...17050...+.....7.......0!0...+..........{._..+.Zfm...s....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R6.9.F.C.F.5.3.9.C.2.B.5.C.E.2.5.F.8.6.9.4.E.D.3.A.1.E.B.2.6.9.9.B.E.D.C.7.B.5.2...1..10<..+.....7...1.0,...F.i.l.e........a.m.o.n.l.w.l.h...s.y.s...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0M..+.....7...1?0=0...+.....7...0...........0!0...+........i..9..%.iN..&...{R0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......}0..y0J..+.....7....<0:.&.Q.u.a.l.i.f.i.c.a.t.i.o.n. .L.e.v.e.l........5.0.0.0...0

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.inf

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Windows setup INFormation
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2979
                                                                                                                Entropy (8bit):5.1590609752075585
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:/ZHNMJmrGhDugBq0FIlDV1qXmHhV3tFiRFZeDRHgDW1dDoFAqQvo2nxsp5+y+anD:hHNMMGJuf0FY2pGXfZv++yB3uHpS
                                                                                                                MD5:E22703E733A5569D0D199462EA8F6D69
                                                                                                                SHA1:0D8A7BEC5FABC92BC65A666DEEC7C0730C98AD9F
                                                                                                                SHA-256:0DEA44212B3DA0228E9D33CEC47CBF531D2A94B4A5B1BD5B7366A69FC0299B23
                                                                                                                SHA-512:20C9BAD169AC28A6FC1C2A2688F9AF270F6E5BC11CBE8EBA2233D1BE0112FA0A647F34921840AA16DE3601AC28178212ED73ABCA950731C39C2B73DD80A9C1A6
                                                                                                                Malicious:false
                                                                                                                Preview:;-------------------------------------------------------------------------..; AMonlwlh.INF -- NDIS Usermode I/O Driver..;..; Copyright (c) AhnLab.Inc All rights reserved...;-------------------------------------------------------------------------..[version]..Signature .= "$Windows NT$"..Class .= NetService..ClassGUID .= {4D36E974-E325-11CE-BFC1-08002BE10318}..Provider .= %AhnLab%..CatalogFile.= amonlwlh.cat..DriverVer.= 08/25/2014,4.0.0.20....[Manufacturer]..%AhnLab%=AHNLAB,NTx86,NTia64,NTamd64....[AHNLAB.NTx86]..%ALWF_Desc%=Install, AHNLAB_LWF....[AHNLAB.NTia64]..%ALWF_Desc%=Install, AHNLAB_LWF....[AHNLAB.NTamd64]..%ALWF_Desc%=Install, AHNLAB_LWF....;-------------------------------------------------------------------------..; Installation Section..;-------------------------------------------------------------------------..[Install]..AddReg=Inst_Ndi..Characteristics=0x40000..NetCfgInstanceId="{4F9A48F2-91CE-46e7-98CB-582B8EC4A3A3}"..Copyfiles = Alwf.copyfiles.sys....[SourceD

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):71320
                                                                                                                Entropy (8bit):6.508611684996172
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:x6itx1u/C97GTjkRHS4/X9HwjQzLBPrEb7+KvFg911tC8pU/Aa+3p23+zjx:faaQ/kRy4FHTI+8FCtC8iYI0x
                                                                                                                MD5:431E04EBDF9BF0403EE689F8A1DFDFC3
                                                                                                                SHA1:E74E4846A34D29A4373FAE1230388411BF2E83B8
                                                                                                                SHA-256:187A08D268EF09AA7C9EDF6C49642451FF14BA7455B0A8F01B0585FC8B2B2AAF
                                                                                                                SHA-512:46174E1BE2BC7D8AD0B89A6ECE07730408A35399CBF740FC69FAC7040A60782E70C2443C1976C5530D33243FD29D0EB3304B04A13670CE435BDBE72A17DDE51C
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p...#...#...#.s.#...#...#...#.(.#...#.(.#...#.(.#...#.(.#...#.(.#...#.(.#...#.(.#...#Rich...#........PE..d...m7.].........."................................................................./C..................................................3...d...<...............|........d..........................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..|...........................@..H.edata..3...........................@..@INIT................................ ....rsrc...............................@..B.reloc..0...........................@..B........................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2618896
                                                                                                                Entropy (8bit):6.223663881006674
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:5TjfSk18xCIHJ+zVPbKONmcYuDVTE3AQREHwQw:hqk1WOV6um33/
                                                                                                                MD5:F6262C40F3D682D635466116FFE5BA99
                                                                                                                SHA1:FC05D3CAED28C00F834CDE01FF6C8224801DD5E9
                                                                                                                SHA-256:D0BC7D93E65D432849C7160A4B6BEDFFE993959F4ADA4F45B9EB03E2720D6636
                                                                                                                SHA-512:D9B89B2C0A1EE849A5D36AB8E01497D8EB5DF70F2D8C6F802B8BC9469542454E9E45EE1AE4788A222DC88C830C50562EAFA8D60A893CA6B6A5AA38C0C6733155
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+...J...J...J...2>..J..w.;..J...28..J...-..J......J...2$..J.....J...J..tK...2...K...2)..J....9..J...2<..J..Rich.J..................PE..d......c.........."..................W.........@..............................(...../.(...@.................................................8.".......&..G....$.HA....'..*...P(..@......................................................@............................text...[........................... ..`.rdata..P...........................@..@.data.........#.......".............@....pdata..HA....$..B....#.............@..@.rsrc....G....&..H...,%.............@..@.reloc...W...P(..X...t'.............@..B........................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2306576
                                                                                                                Entropy (8bit):6.281607739604203
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:1b3GL2/BAJFfv9W4FAkRmeapIJJVJs/z+7Fld:0b9cpCU/z0
                                                                                                                MD5:C565A89728AA7EA21173C3026B65B578
                                                                                                                SHA1:1360FF431D6643125A9D1D17AFFF799BE3A64C96
                                                                                                                SHA-256:27E6E31EE68A2B9EB5BFA3E3E23CFB1C6145DDE0137D72356DD96ED083E2F3D4
                                                                                                                SHA-512:72860A2123CF2B2BB94C7E712D2DDF07383EE2415DEF30A6BE64DAC637ACF41A7FE05EB6313815530185C58E89DEF354656E3F141F7FE531CE46EC2B67675CCA
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............T...T...T..;T...T..>T...T..=T...T.b(T...T.b.T...T..!T...T.b.T...T...T(..T..+Tc..T..,T...T..<T...T..9T...TRich...T........PE..d......c..........".................L..........@..............................#.......#...@..................................................X.......0!..G.... .......#..*....#..<..0,............................................... ...............................text...\........................... ..`.rdata...]... ...^..................@..@.data................j..............@....pdata........ .. ...N..............@..@.rsrc....G...0!..H...n .............@..@.reloc...P....#..R....".............@..B................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2298384
                                                                                                                Entropy (8bit):6.289632942546819
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:Vr2gLf6YugF/klPsgAOxwArZ65ZoKW4q77giVo:9Hxq9gZjW4KC
                                                                                                                MD5:860F0CF335B1F73C6F94C71BFF47FDEF
                                                                                                                SHA1:5A788155C8BD59927BF80107531C020D400B1CB5
                                                                                                                SHA-256:487429458A15DEB08E95AC350D647A075C818BBFBA33FCC0B9574871E185C156
                                                                                                                SHA-512:313B92C5D7F28EC265DEAF1C5CD1C3AEEA817E67C41E7D0D48A1BC857647D8CDAA3957BAA0F1AF32B02F54A1E053E0E43B67EF365E2AE733857FDC13F2EBD83E
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7&..Yu..Yu..Yu..u..Yu|..u..Yu..u..Yu.-.u..Yu.-4u..Yu.-"u..Yu..Xu_.Yu..u..Yu..u..Yu..u..Yu..u..Yu..u..Yu..u..YuRich..Yu........PE..d...=N.b.........."............................@..............................#......d#...@.........................................@v..^....O....... !..G.... ......."..*...p#..<...,............................................... ..(............................text...X........................... ..`.rdata...V... ...X..................@..@.data....|...........^..............@....pdata........ ......2..............@..@.rsrc....G... !..H...N .............@..@.reloc...P...p#..R....".............@..B........................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2538000
                                                                                                                Entropy (8bit):6.277489867801208
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:NUgLUvUFseaaY7DrZIJS1GGiFprfHRrgqhrifzh9Us+e5GT7heCq9pL1vGH1w4c2:Vz3eOH7fHVgNf99UDuGX7qHcw4QcYyiC
                                                                                                                MD5:3419752301BFE5EDCC0CA04D7F7B967F
                                                                                                                SHA1:BE54DA092E99904B788F43A5305EC78F73381345
                                                                                                                SHA-256:FE382DDC150F35ADFD9FB127FAEAE60A88A4955719D13824D7ABB8E2A6EF79A8
                                                                                                                SHA-512:189F306C333659074709EC10DA7A5B8BBC9FE0F159E569C659AF71D193A153D701FF9825A01FB9FB5C8351946D1A9FCBD3EF9FE690C13337E247B15C962267B2
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VEl`.El`.El`.b...Dl`.L...Il`.b...Dl`.L....n`.L...dl`.b...Tl`.Ela.vm`.L....l`.[>..Dl`.L...Dl`.RichEl`.........PE..d......c.........."...........................@..............................'.......'...@..................................................!.......$.(}....#..3....&..*...P'..?...................................................................................text.............................. ..`.rdata..............................@..@.data.........!.......!.............@....pdata...3....#..4....".............@..@.rsrc...(}....$..~....#.............@..@.reloc...W...P'..X...8&.............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1780600
                                                                                                                Entropy (8bit):6.470676233509427
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:Bml7cqS1GGiF6D81NYOozvytJcFCbhwPooNWKqZHR+6FTpo9bgDs/YU:mIOEo1KdvwJQCbmPooNW/ZHQioxgAYU
                                                                                                                MD5:D77FB51F3CB0C0156927963B7F613F38
                                                                                                                SHA1:297ED36F1820A8B34BEED4598E4FA7C4DEE2D0DF
                                                                                                                SHA-256:94F502D47E5D775CB9ABA572089532EC4066C921C9FE1D099E98275180DB4ADF
                                                                                                                SHA-512:E3BA0F46444F578F2393AA54578C86DDCBDDC6F45A9CCCB2EF8B37EF0ACA140056661302ACF823DF61FC528248662E028E8B697360DCF954D86E3C992CB24F84
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............R..R..R.7.R..R...R..R...R..R...R..R.7.R..R..R..R...Rm.R...R..R...R..R...R..R...R..RRich..R........PE..d...J.._.........."......<...J.......4.........@.............................P......e....................................................................B..............x.......p9...Y...............................................P.. ............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...x........,..................@....pdata..............................@..@.rsrc....B.......D..................@..@.reloc...H.......J...@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ASDi.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4127760
                                                                                                                Entropy (8bit):6.128172986872311
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:hyCl8qkokj/jLWcNylUSh0fVzkp5r1PqKrv1DXBy23o50bB7zX:jej3fYg0FXS585
                                                                                                                MD5:751C5B2493358445FEFAF7D5BC87A077
                                                                                                                SHA1:9E90206615D6D0BE8DEABCDE44668BDDFB5D15A7
                                                                                                                SHA-256:D1D41CA9AEEA38A48BD41CB1DFD77E2CDAEA65566680F6B75BBCA290D4814AF7
                                                                                                                SHA-512:B2AFD9DEEAA5DAA4DBA462B09419DAD9DB4E3A72F96BEFCB7C2E2EF90B28456007F50C5A0DC0A8885194F72670BD3FB0FE7AE254E5FF356FF0480D351AC0831D
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......q...}...v...S;..u...}...p...S;..u...}...U...S;..g...t...p...}.......}.......}...u...j...u...}...u...Richt...........PE..d......c.........." .....@-.........h.,.......................................?.....\.?...@.........................................@.;.\.....:......0?......0=.......>..*...@?.DW..P`-..............................................P-..............................text....?-......@-................. ..`.rdata.......P-......D-.............@..@.data.........;..N....;.............@....pdata.......0=......N<.............@..@.rsrc........0?......N>.............@..@.reloc..({...@?..|...V>.............@..B........................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ATampt.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1698296
                                                                                                                Entropy (8bit):6.449038943875198
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:2/iJicTS1GGiFpP3ROmr1PA7PUrnVa9NtQEqayUQAZ7jGgN:2/Xcp/3RO41WsrVCHVVyUXZ7v
                                                                                                                MD5:35D97306886D0CFC8C9EF3E69105099A
                                                                                                                SHA1:843440DE4517DFD4640C2E4058805A3700A9ABA7
                                                                                                                SHA-256:992DFD9F3917FB52013CA2B091E5A5550763740A45596E85E2FC5B567C59476E
                                                                                                                SHA-512:30CC6C499A965DF05AC15987918C2FF306686F5AF4C6E7056CE83D3FF5EB4B956E73225EEF7E9B04115EC29DDBEC0A0D5FCCBD9B72D346B9AA5C39E1B6496E5A
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.O.>.....J.>...5.I.>.....\.=.......7...5._.....JS..>...<.......JS..?...JS..8...5.X.)...5.N.=...".H.=...5.M.=...Rich<...................PE..d......b.........." .....t...H......hz.......................................0............@.............................................b...dx..........8.......X........).......8..P................................................................................text...er.......t.................. ..`.rdata...............x..............@..@.data....^...........x..............@....pdata..X...........................@..@.rsrc...8............p..............@..@.reloc...G.......H...x..............@..B........................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):525744
                                                                                                                Entropy (8bit):6.010610484357411
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:jKUNiutxRz6Zcz8DvZJA0JJt2MwNI0/3neS8y44:2UR6OYDvnA0JJtvAXem
                                                                                                                MD5:35024DC79289F361A9A294A4FBD2F489
                                                                                                                SHA1:67B3B1F23A0ACACF97052A5A8BFF681BFE37C4C8
                                                                                                                SHA-256:06D3EA2D2FE4546FFE4266C2C85A5C87DC13614D00374BF634CDF111E2A5D397
                                                                                                                SHA-512:61F50B4D0375AA3595B9540B23B888036FE4B84E9887A2AA0526D2EE964420339763C3E80F818D33140AC7D44421BE38DDFAB9C3F00E95506C4FD7FB21A0E52D
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Ma.m#2.m#2.m#2.0 3.m#2.0"3.m#2.m"2cm#2.0'3.m#243'3.m#243.2.m#243!3.m#2Rich.m#2........PE..d......b.........."..........6....... .........@.............................`............`.................................................. ..<....@...........:.......O...P......p7..8............................7...............................................text...E........................... ..h.rdata..,~..........................@..H.data....p...P...&...6..............@....pdata...:.......<...\..............@..H.gfids..............................@..HINIT......... ...................... ..b.rsrc........@......................@..B.reloc.......P......................@..B........................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):36608
                                                                                                                Entropy (8bit):5.95361188549271
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:sEtW/PzMAKvMLaa3eHB+trw1b4+KIcmu0CWNf5iRwXbXqoqd4SmFadbbp/nK3nyh:gwbvMmHRCIjuKpr67q89nZkVCs3hA
                                                                                                                MD5:EB6F76EBBA2DE44C925595008F23F532
                                                                                                                SHA1:55E5BEA8C99B093CD9A8FDEA7C96739356C31893
                                                                                                                SHA-256:97CA53B2FE43B67D6B1BAE26693B2850692794CA557A8A5E368CB66CF7AA75BF
                                                                                                                SHA-512:F43C773C7C9D37445AC8215087D631CCD945E3DB048BECE225F9B26921326BA453AF756F59107C151B9278764D1588789E5417EE09CB1C42AD5C7AE697681FAB
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................j......j.............j......j......j......j......j.....Rich............................PE..d...`%.`.........." .....H...,......pU.........S....................................L...............................................ps.......l..d...............X....r..............@b...............................................`...............................text....G.......H.................. ..`.rdata..2....`.......L..............@..@.data................d..............@....pdata..X............f..............@..@.rsrc................l..............@..@.reloc..H............p..............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1616128
                                                                                                                Entropy (8bit):6.469992569412543
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:SgQoS1GGiFp+GY3qA+bcnvC3wJJGlZ+QoiKm3+Ea4sMXYL3KiS9/:S3MuG0qxbGaAJMoQ1KmuEa8X/
                                                                                                                MD5:7C35602CF615C3FAFDF5057C53756A94
                                                                                                                SHA1:E80B76D0EFDB37391F8E63E6BBFA922B1B7A7370
                                                                                                                SHA-256:726AFEFA017583C667D4359CCC3D71AAA07B6EAB686FFE656919300D3379D44F
                                                                                                                SHA-512:6B1EEB243D57249B9548FCF3E3C9CBC69697125431C479FF114746FB33408FE538874DBC935BD0BE8B0591055FA4EE8E4AB0BB5264138906D61FB5C8BDA9BD40
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..f...f...f.......f.......f.......f.......f...g.@.f.......f.....w.f.......f.......f.......f.Rich..f.........PE..d....d9b.........." ................._..............................................A.....@.........................................`<.......)..x................................8......................................................H............................text............................... ..`.rdata..tX.......Z..................@..@.data....g...P...*...6..............@....pdata...............`..............@..@.rsrc................<..............@..@.reloc...F.......H...B..............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Ark64.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2085408
                                                                                                                Entropy (8bit):6.354856041862029
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:i6pbhPFZpeRnR8CwpTCZWLCwWGX7I9+vsDJNmoz8gF5B7AaRRGzNJmrqw6c+Wdnk:HpbXSR8nswC0WfdeL0s0znPTm
                                                                                                                MD5:D26F10BEE44D756CAD73631C1C3E90E1
                                                                                                                SHA1:7862102526806C87BD182076A351856420E886A1
                                                                                                                SHA-256:CE5F64E3308E8AAFB8FA3DC77652949EE0E1F40FCB6133CFB0AC63D1B934A3D8
                                                                                                                SHA-512:33EE5F6A4D2CA3028F6B56ABEDD9AE48EBE25A3A8FCC82ACC07C117C7A1D76D4BAE1994602EDD86CFD3AD62D9776CF830F913768EE5187820F0B7F37CAE04458
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.X.yt6Jyt6Jyt6Jp..J.t6Jp..Jit6Jp..J?t6J^.[Jxt6J^.MJrt6Jyt7J.t6Jp..J.u6Jp..Jxt6Jg&.Jxt6Jp..Jxt6JRichyt6J........................PE..d......b.........." ..........................................................!....... ...@..........................................-..d.......x..... . ....0..L....n.. d.... .p7..................................................................................text...Z........................... ..`.rdata..............................@..@.data........0......................@....pdata..L....0......................@..@text.........P .....................@.. data....`4...` ..6..................@..@.rsrc... ..... .....................@..@.reloc...R.... ..T..................@..B................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):640544
                                                                                                                Entropy (8bit):6.262981938777764
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:m3SlvflrV0kD/52TRIY9rPwadIthkAgUb0/cFBMDa6VgCJcQCtbcdXzMaOSNUs6J:QSlF50UuiVRe54CIapNJ6VZ+Alh1FRuQ
                                                                                                                MD5:7DA16EA022A35C4FCB8CDB830B1F2DAD
                                                                                                                SHA1:0DB6B7D23E744B6AA842DF262F138F146805608A
                                                                                                                SHA-256:B058BB04AD2695FDED14F06CD800D686B047C605F824287ADD2BD4EC36C18F3B
                                                                                                                SHA-512:C5DBE12A3DEDF3320B33797FECAC74506675A030358D82AFEE8422A2286BE839D33E02BF4B0AAD2B363BB68447511456D8C5220B31C26E225012A4323FFCDDE7
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T..T5..T5..T5..]Mm.|5..]Mj..5..]M|.^5..s..U5..s..S5..T5..85..]Mc.*5..]M{.U5..Jg}.U5..]Mx.U5..RichT5..........................PE..d......b.........." ......................................................... .......*....@.................................................X...P.......l....p...|...b.. d...........................................................................................text............................... ..`.rdata..............................@..@.data............P...z..............@....pdata...|...p...~..................@..@.rsrc...l............H..............@..@.reloc..`............N..............@..B................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1643040
                                                                                                                Entropy (8bit):6.442596737136437
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:UadDS1GGiFpNr3kAoYN4KHFQ/MUDbRmzualwjCMCA4USsJ:UMZFkttKIrD0qalwGBA46
                                                                                                                MD5:82CB7701384A71B47792ADD297F1D197
                                                                                                                SHA1:C5C7C51E7249220159C5FDF16E96C3A7DFEA6D27
                                                                                                                SHA-256:7676C1101035D8E1AFA2BFA5C9CC12BE0139804AF45BE187F055A7184FA157AA
                                                                                                                SHA-512:5DE5DBACCF6BCAFD0ED53E14CD9DF3D5CBDFCE86E0BA0E33696711E234328F7A64B845F62C544D3CC5CC98BA0BA79977A9DC28F15895251F17CFB1842E056DC4
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................S.....#.V.......U......8..........k.....C.M.....D.......R.......T.......Q.....Rich............PE..d...b(.b.........." .................!.......................................p............@.............................................Q....i..........$.......d....... *... ...=..07...............................................0...............................text............................... ..`.rdata...O...0...P..."..............@..@.data....f....... ...r..............@....pdata..d...........................@..@.detourd.............p..............@....detourc.!......."...r..............@..@.rsrc...$...........................@..@.reloc..xK... ...L..................@..B................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\AupASD.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2399248
                                                                                                                Entropy (8bit):6.314705719172017
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:3RwgQEl1aqArZHMMv9eyr1tF8zwlycjg7aC:hO1T8zwwcj2
                                                                                                                MD5:03DE4ACA4BDCB56F34E17C20D5B8B128
                                                                                                                SHA1:6B33AED0814099B6F109A1D924BB24FE56D6471F
                                                                                                                SHA-256:716EAA706149F839B7D2122903919499A7514F4344F95C2C10743EE6CF104163
                                                                                                                SHA-512:3D1233EB29534B3015259DB65ABDCEBD4B2BF1076F6A1B3596A12F1143BD3A6AC1D8C93D529E1030336166013494746BFD8C87F44225BA422E0D8500C7B70A93
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].............>EU.......@.....>E......>E..........?.....V......\.8.....Q.c.....A.......D.....Rich............PE..d......c..........".................D..........@.............................`%.......$...@.................................................h........."..F....!.H&...r$..*....%..>..0................................................................................text...F........................... ..`.rdata...3.......4..................@..@.data...............................@....pdata..H&....!..(.... .............@..@.rsrc....F...."..H....!.............@..@.reloc...T....%..V....$.............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Av.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1589264
                                                                                                                Entropy (8bit):5.763994289322921
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:Xo5gXeL7ypAb8kSFoNggdefG19n29KrFnq04SD63+6xvN7q6w4Y+Mb:pNAIkooNfeej2LSDX2N7zq
                                                                                                                MD5:3C407401D797891872A41781962BB872
                                                                                                                SHA1:B7EE4976A8010834EC1A3949372956876EBF745F
                                                                                                                SHA-256:E7C2D733D28D537E46920D989E4872EBFD0D4BCC74E5D741EDAB49D567475AC4
                                                                                                                SHA-512:8DBD237D6BE244CCDF3176D7A6C42322610C37EC22774206714BBAB250C17A33F910AD964C128ED9F7B533958E04192387F9E2E8F29495F7D9DB37746DF2AEC0
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&O.G!..G!..G!......G!......G!..?...G!..?...G!..?...G!...L..G!......G!...Z..G!..G .9F!..?...G!..?...G!..?...G!......G!..?...G!.Rich.G!.........PE..d......c.........." ................x...............................................,.....@..........................................C..o.......................h........*..............................................................@............................text............................... ..`.rdata../4.......6..................@..@.data...@....P.......4..............@....pdata..h............6..............@..@.rsrc...............................@..@.reloc..^...........................@..B................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\BldInfo.ini

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):146
                                                                                                                Entropy (8bit):4.959459707035537
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:GB4ov3BRPNVLNxsusUmdOrMdZJBROdwIfFLsXLQsyxNVFy:GHpRFBNKfB/ROdwIfALQBJFy
                                                                                                                MD5:6E09B169BB08A70212D98F986F9FF33D
                                                                                                                SHA1:67CB1E75D9899919F0E0212726B8063F775799AB
                                                                                                                SHA-256:AB52A3BE3659C59E4DF91A0933EAD0F0ACBB740A089AA2B881126CF70767BED2
                                                                                                                SHA-512:EE99857655DABB27986428CEEBEECBC77054592D8BDEBBB3F10787BDB58100BF37D91DE0D5E7DC756566C4C5E84940CD1133EEEC0785E5534DD2B713B109D0A9
                                                                                                                Malicious:false
                                                                                                                Preview:[Build]..BuildNumber=1.7.0.1630..State=4..Version=1.7.0.4..[ASDFBuild] ..BuildNumber=2.5.81.1435 ..State=6 ..Version=2.5.81.6 ..UpdateVersion=0 ..

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):29848
                                                                                                                Entropy (8bit):6.634755302057254
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:T523SlaCmIevOyl8Qf4y7wa+pYnMtRKOBxQUBHp23+r/jLo+:1OSlAnmyLAyU1tZp23+zjc+
                                                                                                                MD5:99A40DC9A761B2A03948BD2F5F8D1378
                                                                                                                SHA1:AB5ED4D4A38842C972AC8E85305E5D7EB067B5E6
                                                                                                                SHA-256:2837C994037D9D3ED31F4A4AA2912BAD8CF751482528AFDBF43A80071C99AEC6
                                                                                                                SHA-512:D05AB5B330C83F1F92D3C50773AFBF74828F21FD502545E8F71138D813BDCBAB00DD64BAE00DCA3937D7793747B9367C8F6F449039BA72998F9E4FEC06316C64
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!P.U@>.U@>.U@>..5@.T@>.#.S.S@>.#.C.T@>.#.E.\@>.U@?.g@>.#.P.V@>.#.D.T@>.#.B.T@>.#.F.T@>.RichU@>.................PE..d.....^.........." .................%...............................................................................................<.......7..d....p.......`..,....8...<...........1...............................................0...............................text............................... ..`.rdata..~....0......................@..@.data........@......................@....pdata..,....`.......0..............@..@.rsrc........p.......2..............@..@.reloc..H............6..............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):183608
                                                                                                                Entropy (8bit):5.925006152484248
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:mON3OrQ48MQTKxZBhMeldB1DBHxN0QWADUEekU+Y:mON3eQTKxZBielXcADUl
                                                                                                                MD5:D63FE44D767DE4D36943DE9DCBA5AAB7
                                                                                                                SHA1:1F0E72AEA935FE970999C2DF6A644EC9A4B52CC0
                                                                                                                SHA-256:FC89A9B2B5D8D7FDC3BD49D450A5135BC52832430989ECADAB3FEF20478B6DEC
                                                                                                                SHA-512:D9390AA01ADDC4FFAA10666ECB337884195489D8360E7B0D1919585468FD6EA720BE73687855C414A71F766155A0FFA3781178F2D7592A9E75A1335977954354
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,..,..,.....,..,...,.....,.....,.....,.....,.....,.....,..Rich.,..........PE..d...-.fb.........." .........$.................S....................................`...................................................Y......d.......H...............8#......x...................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):95032
                                                                                                                Entropy (8bit):5.702613415046306
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:3hsnrVygg8kxEzvUZ3nBVnwF1Ms8gRffIhL6rUJe+/nPNdBpl:WrVvg8tMktfQx6sNdBpl
                                                                                                                MD5:0319CE5F5E28235E8DBA9A9F669A2CE0
                                                                                                                SHA1:E71C781BC99CFD5C0A351EF4A569D7CF0220A4D1
                                                                                                                SHA-256:E758B88E8A1B3F9E4C474F0AC494C7A6890A16580A9F4EEF701B1E70F74B3828
                                                                                                                SHA-512:2350E5A7A41948063BB05AE2715BAAB0D25A426DAFDFDA21E968207843C1FAC4D07CE7034B0BCE679EE9D1A616AE9516FE856844407008B02A2A94E27E71EBA8
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.G@X..@X..@X..6...IX..@X...X..6...FX..6...BX..6...KX..6...AX..6...AX..6...AX..Rich@X..........PE..d...+.fb.........." ................P..........S....................................................................................PJ..7....@..d.......P....p.......P..8#......h... ................................................................................text............................... ..`.rdata...`.......b..................@..@.data........`.......8..............@....pdata.......p.......:..............@..@.rsrc...P............H..............@..@.reloc..B............N..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Windows setup INFormation
                                                                                                                Category:dropped
                                                                                                                Size (bytes):112
                                                                                                                Entropy (8bit):4.942112766183263
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:hWddwA6fLBJoHeA79LczVyRHqeRpkmcBJMKe:AEAy1JoHec9LTqOpIJq
                                                                                                                MD5:180B33AD34ACF1D366C541BD4B6A678D
                                                                                                                SHA1:3475F028E03199616959E65A1A88364752AE8B2C
                                                                                                                SHA-256:A54EF576B172285C83E497276BA7BEE93D6AA526892EAE23C89DA264FEE06817
                                                                                                                SHA-512:116EC531D0888F7EDD03F06B2E01281785E08374371846469F5724633245418B731B058DF87AC9339F27E03DC63A9B61660F79E98BE9FB97DAED5F2DE55929A3
                                                                                                                Malicious:false
                                                                                                                Preview:[Version]..Signature="$Windows NT$"..[Properties]..; Friendly name property..11="{text}AhnLab Safe Transaction..

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Certificate, Version=3, Serial=00d01329e89a358cfe, not-valid-before=2015-06-18 04:03:23 GMT, not-valid-after=2038-06-12 04:03:23 GMT
                                                                                                                Category:dropped
                                                                                                                Size (bytes):767
                                                                                                                Entropy (8bit):7.459978064135623
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:DECA5mS57QS7NpEt11Lc7p7lQXQmaFGGhE0OhEDhpoS8P/h1ABaZD6JYhvU3x6:D5G7QS7Ug7p7lQ5aFGr0TDbuP/DAQZYY
                                                                                                                MD5:6684F39AE1EED64077BC9E2ED55CF318
                                                                                                                SHA1:E7EBD0B691D499DA5BC16A8C7ADC942CB7661C65
                                                                                                                SHA-256:FE46FD605FB59B26E2F8535D352F7C93F0E25431F5CD21231CB66F00DDD1EE9F
                                                                                                                SHA-512:D0B4F652197489411749C6EB45CC4987CC73868D5BFD6E5AAA7D13148E71EC1D5A4587F6AC0B0B27C52233B6353C4B65EA2E4B5C3FCA0031EDACFE157BC35D97
                                                                                                                Malicious:false
                                                                                                                Preview:0...0............).5..0...*.H........0.1.0...U....ASTxRoot10...150618040323Z..380612040323Z0.1.0...U....ASTxRoot10.."0...*.H.............0..........\`.t.D...}....H..8...V..1..SC.3...q.]....<T9:>..-.?$t....5..|p...."U.kC.+...)..1y...R:..|........C.n2........4......^.%.....q.2?....tK.%.-y..:B...H.Z...[I?&..5..>J.'...3..r.Sq.../.y....Z...Jp.s.. Y..'.{..F.i.0..Y..,p.Po0 AgW;6V..Y..tkO..a.........P0N0...U.......6.a.. .-.vow.6k_?0...U.#..0....6.a.. .-.vow.6k_?0...U....0....0...*.H.............LA...*...t......P....;n..s'.U.#m8,'.R8z...pi..K........b`"..^+...........bxP..b...H.0....2.t.....f..\........k].........,.....2.S..%..............(.Dd.M(.ZD#.Nx6...<IX..:jDvd..GP...B....`.D..$....du....*.|1...XQH........#..V*.......(.1,......,...

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Certificate, Version=3, Serial=009c786262fd7479bd, not-valid-before=2015-06-18 04:03:24 GMT, not-valid-after=2038-06-12 04:03:24 GMT
                                                                                                                Category:dropped
                                                                                                                Size (bytes):767
                                                                                                                Entropy (8bit):7.511801750889632
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:PsxFIxJFOl7As3WVL65oU1q66pcW0whPWs0sLgLaXr08qo/Lb1kfKAp6WLVlu:ETl7As3WVL65GuwhPaegLaXrR9YxpbLG
                                                                                                                MD5:D727B1D7417252E07DC436AA754C941B
                                                                                                                SHA1:E6E5C1EB1E19E4F89A0C37DDCDA50C8B6EDDDD8F
                                                                                                                SHA-256:8A81891C6200605F963355A7D7B379221D4A14F2BC55C969353C04214A7C5685
                                                                                                                SHA-512:490C16A465E1045574E6082CD88ABDEB9EF854F720DFB13DD4503126B50D7F373097AA68FC41331BED697BB4DE43034B6E855F822F84C33FFDF41F48C97B6845
                                                                                                                Malicious:false
                                                                                                                Preview:0...0...........xbb.ty.0...*.H........0.1.0...U....ASTxRoot20...150618040324Z..380612040324Z0.1.0...U....ASTxRoot20.."0...*.H.............0..........x.P.....t...q.(....9.^.....` ....y..I..o....jD.J....u=vK.~].o]T\.n...&..vE...k..^...^.Z.....).'.h2..9}.U3..d.Y.TQ........-..0.`l.S.M...;..tU......7.nBQ.u.F.m.}.......?M............Z.....z_.|m.S<....]sT......G_.B........g.......c6.t. A.......P0N0...U............".Qnh).~.l/..0...U.#..0.........".Qnh).~.l/..0...U....0....0...*.H...................4q+.A4hfC...>...s.2!}...FB..St>.Oi.[5!...|Dn.;...g~+.X.7.&...i.6.ws.-..Q(...?...Vn....Q".HJ?.;.B....(..S..|P$....*...{...p..=@...%.C.<..ww!z#..j...1C_...D..Dpr...o...s....n.....P.+......%*V..S.r.P.....&X.^.wV.?...D...a......h.u...JU....z.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):85504
                                                                                                                Entropy (8bit):5.9322947668452635
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:MeZq3MXXTjmZ5IplbHKp/reRgMxcRircjVgrS9Ll2shT:MeZNvmnswKGMCZSrggsh
                                                                                                                MD5:AED39116FE12C5550975043DA1D1B244
                                                                                                                SHA1:ED8AA12A00E93C1A477F4EF69864948B4014A7FB
                                                                                                                SHA-256:BBBA87BF62E8BDC11602F2A95712E5FE3FB1EDBBCDEB28CBDCF191AEAB286B04
                                                                                                                SHA-512:0AB9EF25BBA0E231A140A5153C9F9149AB194A324F374E655E43EF90715E0417987D7F31F2493E229EC8B704BEAD31F0FBFF6EE811D42CB7AF8C58361979D132
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xl.....................c.......c._............c.^.....n.].....n.b.....c.\.....c.X.....Rich............PE..L....$.>...........!.........Z...................3o.................................................................................0..p)...................`..x...................................xS..@............................................text............................... ..`.data...............................@....rsrc...p)...0...*..................@..@.reloc..N....`.......2..............@..B.$.>X....$.>e....$.>o....$.>z....$.>.....$.>.....$.>.....$.>.....$.>.....$.>............KERNEL32.dll.NTDLL.DLL.msvcrt.dll.ATL.DLL.certcli.dll.ADVAPI32.dll.USER32.dll.ole32.dll.OLEAUT32.dll.CRYPT32.dll................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):569344
                                                                                                                Entropy (8bit):6.1181069611039955
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:AG/XQ+F4FFJaL5TBEf6ID0rq7XqHvXxUEuspBi9NlLlli8QMupzUMfNXyowyQv:rX0vaL506euHPOypA9NlGcuVNXa
                                                                                                                MD5:711DB2EF10B6C2AB2080698AEC6C6D08
                                                                                                                SHA1:5746C14FE1790A18B76CC9833F93BC72937ACA72
                                                                                                                SHA-256:75DDAB1826F220EB36A9EEA9CF8533C94C19BAC89D961380F3A418F6EEDB2B4E
                                                                                                                SHA-512:6568EA1BF41AFA461D2B529D42E0D873C9B1B109875C6010FD965AC8C3D9A0C98EA1EA747119815254BF42130B6CF699C8DC01EE6763F172AE7C57F656FAF7F1
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..x..l+..l+..l+..q+..l+..c+..l+..1+:.l+..m+5.l+..3+).l+...+3.l+..2+..l+..6+..l+Rich..l+........PE..L......>............................Wy..............................................ye........... ..........................(........`..@...................................................................P........................................text...l........................... ..`.data...$g.......P..................@....rsrc...@....`.......*..............@..@.$.>.....$.>.....$.>.....$.>.....$.>.....$.>.....$.>.....$.>$....$.>1....$.>=....$.>J....$.>V....$.>`....$.>.....$.>m....$.>y....$.>.....>.....$.>.....$.>.....$.>.....$.>.....$.>.....$.>.....$.>............KERNEL32.dll.NTDLL.DLL.msvcrt.dll.ADVAPI32.dll.certadm.dll.certcli.dll.COMCTL32.dll.comdlg32.dll.CRYPT32.dll.CRYPTNET.dll.CRYPTUI.dll.GDI32.dll.NETAPI32.dll.NTDSAPI.dll.ole32.dll.OLEAUT32.dll.RPCRT4.d

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):103936
                                                                                                                Entropy (8bit):6.464020030097691
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:est2WKOxRTftkVeSl8w5d3wgtRgc7k8w:GWKOzTlkVzl8w8yRDA8w
                                                                                                                MD5:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                SHA1:7A77C7AE99D400243845CCE0E0931F029A73F79A
                                                                                                                SHA-256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
                                                                                                                SHA-512:B21B34A5886A3058CE26A6A5A6EAD3B1EBAE62354540492FB6508BE869E7D292B351C0913461B47C4CC0C6A73333AAD33CD9399BCB1F83C7DACFDB7F2EE1F7A9
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..........................{......{......{.........6..{./....{......Rich...........................PE..L....A.O..........................................@.......................................@.................................Tq.......................................................................p..@...............h............................text...d........................... ..`.rdata..............................@..@.data................z..............@....reloc..D............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):222208
                                                                                                                Entropy (8bit):6.697487951906348
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
                                                                                                                MD5:269BEB631B580C6D54DB45B5573B1DE5
                                                                                                                SHA1:64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
                                                                                                                SHA-256:FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
                                                                                                                SHA-512:649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):199680
                                                                                                                Entropy (8bit):6.678065290017203
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
                                                                                                                MD5:6E84AF2875700285309DD29294365C6A
                                                                                                                SHA1:FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
                                                                                                                SHA-256:1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
                                                                                                                SHA-512:0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):14336
                                                                                                                Entropy (8bit):5.794541181301596
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
                                                                                                                MD5:1FAE68B740F18290B98B2F9E23313CC2
                                                                                                                SHA1:FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
                                                                                                                SHA-256:751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
                                                                                                                SHA-512:5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):12288
                                                                                                                Entropy (8bit):5.576295270591411
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
                                                                                                                MD5:9AE76DB13972553A5DE5BDD07B1B654D
                                                                                                                SHA1:0C4508EB6F13B9B178237CCC4DA759BFF10AF658
                                                                                                                SHA-256:38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
                                                                                                                SHA-512:DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):761152
                                                                                                                Entropy (8bit):6.9097717021149965
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:TYhr4bCLI2kwAWEXqKDkoKsiYxem5GQmLuEs0NIL2fLiFHSt6mRy3jVRwB:TUIyAWKDkoKsiuem5DmLuExNILQOFQ6e
                                                                                                                MD5:53E17C3EEDCB0479971FBBE99FA9C0A0
                                                                                                                SHA1:87E3E49CF24EA5762E8E4EEFDEA750D4E365907D
                                                                                                                SHA-256:990EE8BCC6DC60FCE2F5D91187322EE13939B6212B6C617DD95AC4117A7F2BF3
                                                                                                                SHA-512:B8DF5005596340E07C742D33CCDB6E1D0E1F8053DB1C9360B32CE84C9DBD7FB22AE8643328990311BD9639DF47FEB5BFB1579E8FCB56E9965981A8234533224A
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V\.X72.X72.X72...I.[72.X73..72.?x...62.?x...72.?x...72.?x..Y72.?x..Y72.?x..Y72.RichX72.........PE..L...W..I.........."!.................j.............x................................pf....@.........................0f......@V..(....p..................@.......|J..0................................/..@............................................text............................... ..`.data....^.......8..................@....rsrc........p.......0..............@..@.reloc..0Q.......R...4..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):798720
                                                                                                                Entropy (8bit):6.523188898405281
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
                                                                                                                MD5:A1C4628D184B6AB25550B1CE74F44792
                                                                                                                SHA1:C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
                                                                                                                SHA-256:3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
                                                                                                                SHA-512:07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):370176
                                                                                                                Entropy (8bit):6.863300763286356
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
                                                                                                                MD5:D1243817A1B22B855DE0852CF5B53BF5
                                                                                                                SHA1:C64F4851A2FCFE8D1E4A5B5743498870B676755E
                                                                                                                SHA-256:93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
                                                                                                                SHA-512:59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):108544
                                                                                                                Entropy (8bit):6.45689405407938
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
                                                                                                                MD5:051652BA7CA426846E936BC5AA3F39F3
                                                                                                                SHA1:0012007876DDE3A2D764249AD86BC428300FE91E
                                                                                                                SHA-256:8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
                                                                                                                SHA-512:005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):93696
                                                                                                                Entropy (8bit):6.44977499578729
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
                                                                                                                MD5:C26E940B474728E728CAFE5912BA418A
                                                                                                                SHA1:7256E378A419F8D87DE71835E6AD12FAADAAAF73
                                                                                                                SHA-256:1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
                                                                                                                SHA-512:BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):97792
                                                                                                                Entropy (8bit):6.240650542976671
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
                                                                                                                MD5:A5C670EDF4411BF7F132F4280026137B
                                                                                                                SHA1:C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
                                                                                                                SHA-256:ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
                                                                                                                SHA-512:ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):172544
                                                                                                                Entropy (8bit):6.496240878001019
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
                                                                                                                MD5:2AB31C9401870ADB4E9D88B5A6837ABF
                                                                                                                SHA1:4F0FDD699E63F614D79ED6E47EF61938117D3B7A
                                                                                                                SHA-256:22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
                                                                                                                SHA-512:BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!.....*...x.......3.......@............................................@.................................<...................................|...................................x...@............@...............................text....(.......*.................. ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):423936
                                                                                                                Entropy (8bit):6.751461394308889
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
                                                                                                                MD5:B58848A28A1EFB85677E344DB1FD67E6
                                                                                                                SHA1:DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
                                                                                                                SHA-256:00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
                                                                                                                SHA-512:762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):190976
                                                                                                                Entropy (8bit):6.662915165682162
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
                                                                                                                MD5:717DBDF0E1F616EA8A038259E273C530
                                                                                                                SHA1:926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
                                                                                                                SHA-256:E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
                                                                                                                SHA-512:C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Core.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):3407376
                                                                                                                Entropy (8bit):6.083562418610337
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:+KQVSmZZj5+LQPhsb/hvKgInTI6VV2AFpCR0+tyHlQAXyPvChxwQEHu2I7Fsf:7i8KEcchyF7xPEHzGsf
                                                                                                                MD5:7465FD034D92B69DD89FF32493972FC0
                                                                                                                SHA1:F21982CF025C47A466746C6F1ABE506A41B5B419
                                                                                                                SHA-256:186FF32054F9B4F66B7EDC7B3303DA5BDC271B77F7EEB369E6E7B596CE211949
                                                                                                                SHA-512:8ABF052BBBD83817DCA796135B971D006815E32B5F12250512E646E5FD2608A8D3A0D2A89F1DD729C102937BA5FEE5B62F2B82042ED8B9C23842B87268329FEA
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......X...X...X..\X...X..YX...X..ZX...X&*OX...X&*.X...X..LX...X&*.X...X...X...X..FX ..X..KX...X..]X...X..[X...X..^X...XRich...X........PE..d... ..c.........." ...... ...................................................4......4...@...........................................0.q....c0.@....@4.......2.t.....3..*...P4.,J....!............................................... ..............................text...L. ....... ................. ..`.rdata..!..... ....... .............@..@.data.........0.."....0.............@....pdata..t.....2.......1.............@..@.rsrc........@4......d3.............@..@.reloc...f...P4..h...l3.............@..B........................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):25600
                                                                                                                Entropy (8bit):7.993464592755953
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:768:kNLeCRkObMkPt7eYnnzmbSZHiET4hEQU2ogo:E/bMgt7e4zHJTWRxo
                                                                                                                MD5:D9C56468BD35AF910DEA817CABB81D36
                                                                                                                SHA1:0FC641A180809B63CCEC27016E38C2B572920208
                                                                                                                SHA-256:D3B62B5869035748F8E53F7A65FBA2621F3EB4C6F721C415195C34690DE51307
                                                                                                                SHA-512:B328512B0F2F1871EF0712121D39158C5BE0A1F594A3D5458CA4E4875DF5408DEAF250DE5E65335E17DA1CB59BBD62F37EBF791B55748E1010951BF2420D9C17
                                                                                                                Malicious:true
                                                                                                                Preview:.J....!W.4..........@ ..&|?.v.$...#...5.....Y...9{.:...[]..X...i;.7.q..[.........`$G....).1|E&...K.K....o#D.m.~.p..t.a$^.y.1.2c.%.....+6..P}o..|.~.+..B.....k.5mXz.+...CT..>..>....".....9:._..$..%.Q.:..{.........l....vH... ..u.......L...C...v..Rz..X(XW..yl.$....%. ...4....W^......4.nX....U...1_..dq....W5.*<Hv.v!..........U.E|..W...8+Y.p.(Wn............`r...|..4.bP=.TaA..[<....5N.I..T...6.....?...H..9.R.>...H3p..q0{...y...^k.........O..[e......Y}D..wk.l&".}>.....|W."..=..d.......U.go....c...[..-...6.].^.C...^....9.D.}..<........gXm\n-.......wv.P......f?.7S.H..:8....=....3...>./.+.;NQ..b.5.........<.1u1?...(..%.1...s.....K=3..!.6nK....;..x.....x.&..h..Pf.....{..b$.R@^Eh.m.........L#W.[...W......./.K.>|Y...?"...Kq....G.._.{..B...{UNF.f..(OZ.....B.i..,..C..}.EJ..6.....!..$..U:...x.......I5L.>..p;'....N.<K...VWpS..98..T?..Q..+..=....X.H......$.N..e.w|...G..XD.....^...........U.<._x......}...`.RI.`...v....c......l.w...mA.........I....hy

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3014002, file counter 2, database pages 1127, cookie 0x1, schema 4, UTF-8, version-valid-for 2
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4616192
                                                                                                                Entropy (8bit):6.24811983862515
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:0jfLR9PgLqyBIDr1nxgVniDPsbX6KTFSafxWOoJCFJ0qrmO9LMvwg3V9pVxk35R4:2z2Bcrw9iATgafxl/9LMXl9jxyyyv4
                                                                                                                MD5:A1356A635643AE79B6104BCDFF0EF93B
                                                                                                                SHA1:A02F5EF1F81089FF5933FFDC1E5F3C0CE7914E3A
                                                                                                                SHA-256:F826F9A857A0105544F1516E7F838BE9E1CC721412A047B5F8043A3D58A42464
                                                                                                                SHA-512:3934C7F776C956C8A7E0D29F695CF9E79EC27A24EA1F29B1651061FD4BF8691AB53E99A1B0DD4E239016571667818201A0339733862B8CD255B499A66587B4F1
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ .......g.................................................................-.r....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2048
                                                                                                                Entropy (8bit):7.904375764569563
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:kFjgEgFdFy47RaOyNRVpl4nklxRTBia/ep/tn7ZYLsX:k6Eyy4wVXTfGRt7/
                                                                                                                MD5:5CC424F65E490FE65BB4613B7AA6EBFA
                                                                                                                SHA1:FEFF5751D5B9E4E9C04EBC2F9BB2E7B0C7779B23
                                                                                                                SHA-256:4F0654EA77519E62E61112B37485EE41623838B2B7DAFCE171D1178C68E2ABA4
                                                                                                                SHA-512:8062326B953A7416D4E2DCB69AC644DDE020E1E407855E5CFB31BBBE5E061F2382A52B670B28595C23C5B06C80B4981CA8BA8B339A1E1B66900342FBC495476B
                                                                                                                Malicious:false
                                                                                                                Preview:M.....td..O?.$+.....@ ...]....{!.{,...6 I.\....QS.(.B..2.j/6..i.F."..JYT.J.wcR..}.j!.,}[Q..8'.}{Pg.).....:..uy..*Y(n....J..Q.a...S...3....J7..........R..k85p6.n...H.....g..W.,..#Z.._.q...|...V"..d.........bv......x.:.-%.g.L".b....>>32.;.....:.]....`J.'..#.0.<3...~i..e&...C..M?7~.....N...[g..H...B......f"N'|X..... ....|[.;.Be.......=.(...3m....q.DDR.`....7B..+.4i;*.........`.U.....\.5U..H..S..=.r....2.....0%...].Yj.).U..P;......avjU...d..n.....M.8....R..a.....j8 a($.5HS.X........&..w.:.u..S..NsFg.m....--....z...,...v.c.j..(1f.`..:X.6:....E.x.Mm....[.3ZK..).<$..A....4..^(U..m...w.*.p.......O. ....j%..6....._.4......y/0...G1T..=N.......=.+&S....c......I..2..~.bF.z.^::..i....8.[...!{.ej..Z0.....Q1.M.z.r..F....\C..Q..;...O.8...j...h.R..I..<..bS.w..i.b..Ud.....H8...Z...(.....#...,.@.......i..so.P{o.^.....d.U.......E..x...'.Hj..=...(...z`...5p...o...=\0.@.........[.......\...e..GA....H.;.uZ...t..0..."o.{...:.]K?F.S..k..E.A..-.Z.MM.U^>..t.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):5120
                                                                                                                Entropy (8bit):7.967854076429251
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:joely5G1ZepCvAaLRSMet/54T6J/yOVI6j3NBiDY8ovn6ZIl/jZqPrCjyYGd:Eed1wjaLwxt/OGJfVI6ZBj8ovngIlLZQ
                                                                                                                MD5:2B09D3FD0FB7C2710E79D3E95F35D776
                                                                                                                SHA1:67D36887CC8E1B7E6AD4F36B774811872765D40B
                                                                                                                SHA-256:DBE3AD374D83B5B5C3C6235F5E567D37A36DDDDAB00474293DE3AAD236E8EA0D
                                                                                                                SHA-512:2360DA35F3FA8D8EFA502FDF5B2F713700E109E7191E1CDA30AAFA43CA3FCD5E23E205D359AC4E16ABCA2D044AAE7DDFD778F2EEF9A4C79B504868AA34F7CFDF
                                                                                                                Malicious:false
                                                                                                                Preview:.;=..mYv.u..s..z.....@ .^P.1.I#....^n..|_uua1c=...^...C.!.C.a...d.A.....?.!.O.....7.....R.DZ.B-...?i.q.^.$.6"\.N.e])..$.0....9. ..f.)..}...G......j........xO..Nzw......s.m.?j.I... .p..j<.*e"...R"..(7:.......r../..H...).g.....}......._~ ..'..6..j...H.]... ..s2I/2"fs.................P..a=...X..D.......R..T..?65._).d.[l...?cA......4.b}..zc.j.~K..#....A....]@.|.......xT...z.>.G...M+..2Q.F.f:...l_...C..E_.9.....m...).o.p.K..%......6......... .w.....I.....hY..,f.......&.L.QD..........?.\#..^@.8<.....uZ..n.+...3..........Y....(N....`...H.....A...@Z.#.{....~.)..q?,...1....%.b<.$_E.......u.d..]..D..]z.|...........K.6R(.....?......g.*..N..p.....$te..G.o .:I.......z....WG.....x..-../.X......s..a.6.1.cmObQ.R(b..rg;...zQH @..).c_...D..ORO./_.[c..........V.T....I~$.2A._.G......ZoU.....C..V....f....T.Y.o'...,n....W...+.....)..(r.G.....3qf.....cn.@....\...7..(....;...B...Ts.i.....O.2g.......'&i....N..s\....bl...s.U..r.vQb...)...b..A....f._.w..`j...&.L.kW.....

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 90334 bytes, 1 file, at 0x44 +AX "extraopn_ply.html.new", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):101166
                                                                                                                Entropy (8bit):6.451693133905403
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:+hEpEP/5gYdzpWdPWRBbDq5MkrloatgfPM6lKaBH3SU1jNUL/cBkvOS3ta77k5y:TpNYxpuOFql3tjxaxd1j2L/0k5M7my
                                                                                                                MD5:E84262438473D7C2A4BB1EC802BA4BD9
                                                                                                                SHA1:DCB13F5DE8A37E8F2B30ED998A00242C0125D064
                                                                                                                SHA-256:0EF849EB15CCD8611FA32133A05B77F1FE601913804563E54A06F8C095E166A7
                                                                                                                SHA-512:CBC7700A7665EA98FB4DB259D8F7D32172BAD2FEAF4AE4BB89FD0742F6FE4E1DE0E169E187E4D007143C78279D91FD1308985E2B14678874769E70902F63C829
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF.....`......D............................`..P*..........j.......\`........!U..`.extraopn_ply.html.new....B........aRQzVVcvCap0mPFFbfnehPiuDZm/BlC/eVoYYpBJ3md/3kN+fbNR5xc+dlBI6Y+Fzl65f3MRUZPTZdHVnk3OCz5JUR+LB+wHkxBWjOErwFmA/GZes999xicqpCmszypX/k3+bPECGR30blrlczMAQjIrNSuduUefyvMWk0jthw/RDe92JtbDG54EZVvfbipsoIgoRBYJJ3jC44tlDPXJpNXHjqSjraTF9YJKLxeo0ZkL/5snhnczDqgkk/QsQjJimQHcrzoEujRFZHlGd62bhQfKurQNpdT89/BiOK2VETnEHnBCxvy6dNPOwkjQ3ztPLuaVSgwmWYzTiLlmNX4D9XNkAavyXc5BskhPt19My6Jb00o0UHIOt1e9idIdOOtet1sCn5oE0u92KA2FDPjQ9cCESYgkwCtHLUv0gjMfofE+TMCkDcRYygAwMDqMDZSK6XARAVkswBOsVRuDepLtQtKKQS0kLU10pYG6xV0exluT28BE9csIq0juXDFF5BsVt6hdS23uTokimmOV3W9rcpLvFJU/ZKecsQi4YJotSsg9t6rXu7n8yraU5lf/8+HJ04moqELwXbx7knmrXG+OdMv3m/WiP0o1AVmzQ16hW3AKyLRS/eaZtV6RW+zAJ4XU2L3H8XIup79ZAhKwK2Ux+7FAg7lTz8U7TC9KY7OeREqTxhBE0QLui83gUnjESA754zRjs1PjmkcahsMMfmKjzHG1pRjhyqxT6WLOQX4p+dfFX6uo1khTeZ64fbuGvXYJ55gaH5+YyayvR81KIa1bU/QxhtY5BzydvISrs9SPEsqc3dE1BoE3W6J2N+dwN63ug8ap2153AL3AbMQGub+6yWnEyclQuKkZ2m7FDHBAUC14LH6yYF

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 7101 bytes, 1 file, at 0x44 +AX "netizen_ply_default.html.new", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):22757
                                                                                                                Entropy (8bit):7.394463474354784
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:AE42fdL8L81cwmdCggNsijDRfKa1FaZ4y7wa+pYQTbkZRKOBxQUdtt1sp23+r/j9:742l4IgdbKZ/FaOyU1Vbk3XDsp23+zj9
                                                                                                                MD5:0DFBA33282D828A1B5EE96B1A8B98B1B
                                                                                                                SHA1:B6046CBD196A878B7D45DEA3DD5FBE04254A6F2E
                                                                                                                SHA-256:CD1B42FBD3EBAF46665CBA3BEC0594B235AF81EE89ED3E4E5D3EE8561082C30E
                                                                                                                SHA-512:4450D992AAEC6131FE887487FDD4AA7BAEB63207900DCCED305757E8E55DD5858D4DB8FC1E93311BD3A411CC04CC8CA61BBBD17D8A4CA9249A8775082C566ECE
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................(=..........q.......D..........Q.U`.netizen_ply_default.html.new....D.D.....gqssyJ+f/F9qu8sxVUW57n77GnppHqVmjqnOjnjIisc4PSVloeqUAqduPSx5Af0c5JBBL6AK16QJSwEgEn0lBtMdgV6HIjvyQzleefTpYKacY0VBjet6kbc01ZnjlTAjpJBB231PWANtzR9jqlqMl36GoN7laNoxBpyZ9aGISfjzY1yl4vOnsJiU4rgCgTfk7qmZiDhaPrXe6DT4l9ZeO6T0NVbcIthSt+l3Hth0F3ZB5mT4GPtwQgvYFtBQGZmL8owiSgPgQSbpJ3daHOwSaRzf0L0VwfNwCrbCYlrmVVa+4B0j4oJcYatAmTGwnzrZ9m/1UR3ntfNyMilSTy2VqXnuu7R002mIf5cSUNFEDK7LJW22B/ZIYfYzI187zGTnmqbI19L4loAaWocWcL30bR6nJ9p8LZ12SfNwdRXN6wRwmTuR1tu3z2WoT5qP/EDQxsO8jWrADpwqiqsRMCGFm3G/SMW3f/LQwT0GKbxB3Ivy6T2TIl7hrCahBnXsW+16uMT4MwGO4XMAOTAccHdtGt/w3b4/B46m3FlKTqPIIb30PP1Iq8SJkDFJCY31BBPg4numUa+wA3PgaxqoeVEFczX45Sv/KmYMqQZ4EG1/jmmIvz3U48AoCqLf8Rg9vD4F3+uI39pQnMILcMLhUeJMvHR4NLex+gVydU4r5YKw9rmHGf52QTSc1KMrmeB6YKU+MEZuWZybN99h1ApApg2ddFLVhKoub0hl9t5MnKu33eN2gDp/epdXbCeHnFyHMiNO64oIbL4rMOHTsZy9kEy7/eATwhgiM5v3N1NPmPpf4QRfuZz7S8lzo2PmzXMyU4JiOZyVmWDVM9kz3VTIOjvdbFckbTFIafQoenHFRhluYX3

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 137 bytes, 1 file, at 0x44 +AX "ply_ver.html.new", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):10969
                                                                                                                Entropy (8bit):7.630007816314116
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:8IYiYF82M34qFI2Pc+MKGMz+noPOjlGy2sE9jBF0NyPPVo1TSn:8IYitv7E+CXG8E9VF0NyPPVo1un
                                                                                                                MD5:03A78704029E1E80BE633F0AC89C7973
                                                                                                                SHA1:FE137FB036F946FCBED2DD12B78276B769E9F694
                                                                                                                SHA-256:FAE899E20F5AB6F766F51E7093063B63974B66FC323B0C0D6BFE8202895AD060
                                                                                                                SHA-512:73DF19FF4682556A7D721227AB4DEED7976A7C916A508919635D3D286BCC9DF035E0B958EA40B97D5DB550D5EBE73AC4020AEF1EC29555C93C42C616072E1BAC
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF............D...............................P*..........e.................4U..`.ply_ver.html.new.............dLBd6ido/t4Q1i+QnGlOow==0.*G..*.H........*80.*4...1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". .;.G.I=...p@...[.0V......,"..010...`.H.e....... 4.U~_C~.........s.V..@....9.ReGp....0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:Microsoft Cabinet archive data, single, 326717 bytes, 1 file, at 0x44 +AX "starter_ply.html.new", flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0 compression
                                                                                                                Category:dropped
                                                                                                                Size (bytes):337549
                                                                                                                Entropy (8bit):6.17318977867477
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:MbeMSlVNGtB0781MjjdY2r+Y8C44X3pr7s+Ch/watVnilRgOZc4vEw5WVuSgh:EYT2B+wuxjiY8p4X3NhI1cZeOWkxh
                                                                                                                MD5:14256CF22F6FFCF19878E7827ACBAE78
                                                                                                                SHA1:2596AFF196E36B4313F9A9943D07BA92E478A0F9
                                                                                                                SHA-256:9D015B29F1F3508F1625749E656DDDF5D7B095CC6D1F916DC288B7213DE18275
                                                                                                                SHA-512:B2C30B7CCE63D0A20015EA7B0E14AD4A5862309037256D2CCFE1AED6624C50B2E2BA7B96BC60C4501CA0255994127482D5AC43789D285B21A9BF40E7DAA35F03
                                                                                                                Malicious:false
                                                                                                                Preview:MSCF....=.......D...........................=...P*..........i.................4U..`.starter_ply.html.new.............oSdf4GSKNQPEWl+fxsL0B3w5SEDe8DjEYzYvuV6oNHBEPd+4CWq4wStlF9fDZaUsoYzkk2Czz3QlBEpVh4gG8QdH/f6IlF+quzQKd1WdZfgQmlUxSZ6FPmLckIKMq6WSw+Olf9raonw/lesMF76JezCE0uihs2kB9L7bjFbK+54z1JNX5Ois2RE4iHGjNEy97+Mxuy7KRXQz6zv+bCkGiRTx7FoX7Zg+LyUx3RRh4QymXSCPWK0m7738ZG33jXYopfmygv7OebRuGFG23uh7b2PooBYmLPEbxs7W3hOjPNVl6Mkr+tK9zmmbxTgkqAAa/TU2xcj9uIN5KnM6tiB/IIUGNtDbQFVc19PYCIv4PMxnkYcRKuGhDLq8t+lcS8PtznfsfEak5iQobjUbivG6Ry7aSDNB7gx8nX6Qq9t/i6X27ZEmH+PdVh99kHbkBbQsLBaMemC2oAuWm3PMlnWdQn2aKHdzQPVVCIbKyew4J4gHp5MX1aW+CVh7N3ZR3EChPvycpPdBPLg6RCBYk4eqQ4FmSnSHeESaeopDa4tJc4/FafwRlzczbxK9hp0SHNZXmjsm10xAUPJNUNaFsmC2wKAcMhD/buA7AqwgW0j72jcm94BWaL7egEtYJ8cvzywti0OpqfT75oHvgd5zNJa11ec5KmkIUvntG5ISjpjgFFcu+9nI+6MvHrpjiINx121BiBzOR0FMPsORI4sCXjYDz/VzDkOgsFc3eRBoWzUARDegHhIImMrJna5bzkfkOBhce2JzfdjlfS8QHs5dfxwp9S2Lztkalv/kuN8KfjiU7qxkSqBgMkfjSvyOF51LgNCNkG6t88g6UGxfACldBcrdOElauQEfNdSmejhzxUi3UlxFZPgKxf0

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2680344
                                                                                                                Entropy (8bit):5.846107201304436
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:VuaqnXgTj2qYXqeVDd0nyvb7792klH3hJvx3ZOVjzw:V5T8qeN92WZJ
                                                                                                                MD5:D5DE2FBF011CD87778931A1687DFEDB0
                                                                                                                SHA1:9B31D1B262D06CDCD677043D0AE22FEE1E9F36F1
                                                                                                                SHA-256:6AC3304FC9C8A6F4FDD8F06C8D6B36564C7221720A42D5748D190400C8C71FE0
                                                                                                                SHA-512:63D7B7387C7C27E654D8CBC04182DC35CC33F838219707827823575013C2D6E575194BF0747C429A7575983DAA1AA0B67EC33D1EF6ED22B6E2B63B5A8F7E78C2
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.v....N...N...N...N...N...N...N...N...N...N...N8.cN...N...Ny..N...N...N...N...N...N...N...N...NRich...N........PE..d.....c.........." ................x........................................`).....v.)..............................................Y&.f.....(.......(.......'.(y....(..*....).H;.. .................................................(..............................text...g........................... ..`.rdata..6...........................@..@.data........`&..&...P&.............@....pdata........'......v&.............@..@.idata..6>....(..@....(.............@....rsrc.........(......X(.............@..@.reloc..w[....)..\...`(.............@..B........................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):44560
                                                                                                                Entropy (8bit):5.893482922203998
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:IdJtnfDOV7zIKk2AIPzwfJkdFLYityXlEnZF:ofDOV3IKk2AIPzwfJkdFL7MXW
                                                                                                                MD5:BEC8A457871D528FD364F49CCBD440B7
                                                                                                                SHA1:FF7DF1FAE7E308B47C3F2F6D0B94C4421A59AA99
                                                                                                                SHA-256:9D30971F21A14CF7EA0E04EB70FC1B08903038FEFC275B74FCD55E39EC23F687
                                                                                                                SHA-512:94F9ED7FF211731A76947D5869DF76FEFB5D4D1EBD3ADD3B5FDD20BCD4538F54C1A40F5DC39CECBE566DADDA022D2AACBC9B95DEA5078359D919ED078FDFEE3A
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.)...G...G...G......G......G.<[*...G.<[<...G...F.".G......G......G......G......G.Rich..G.................PE..d.....(c.........." .........r.......................................................................................................}......,w..x.......(................*.......... 2...............................................0...............................text...1........................... ..`.orpc........ ...................... ..`.rdata...N...0...P..................@..@.data................b..............@....pdata...............r..............@..@.rsrc...(............t..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):35664
                                                                                                                Entropy (8bit):5.58023144464701
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:wwxPHe7hDWEWy5uxcx37Xtqh5iHulR1uwTvh6dKe/VD9OLH1zLz4qjXHUB:LShL2ctXtqPvRhvhynOLtz4qjXHUB
                                                                                                                MD5:3D158F9970E98046E9D1CFEAF3F80007
                                                                                                                SHA1:C5A9CE5266AD2E1A635719C05FAAD3BCC6F6AE94
                                                                                                                SHA-256:71415D14B066E8A70190197FC09686AD0166D3D2C75ADBD31E6C1830C7E18371
                                                                                                                SHA-512:F49CFC46AB5FEC9AF14EF94A6EA07D8DFDD4621A037668B1417052078FF69B2FEFC89EA5DD4C055F8B1E8E43DEBE2C4F617B4CAA048A7013B77F962A629AB60F
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." .........r................6]....................................B.....@..............................................................q...........t..P............................................................................................rsrc....q.......r..................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):36672
                                                                                                                Entropy (8bit):5.588028174926814
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:ldPwznjqQOl6HyLW7WyJMU9sNCR0OL5AlKwKTF1ECAiJJSLz4Z1joQ3C/:zki8SS19sy1KKwQ1ECDJ0z4Z1jZC/
                                                                                                                MD5:72C8232A2626743724D79F4D1684F3F3
                                                                                                                SHA1:44131077ACD660001C7C61409BC7E38C5D95FBD9
                                                                                                                SHA-256:8585A855C4A8FDB975A2B26CDE76B22CCD23FE19152D92FB47B30C7ACC7A966B
                                                                                                                SHA-512:A2E2864F8B75FCFF44CC791E9A394E928D3E628D5481E532C4F851114F1CB95A307B31CEEE10DDEA7E529C14DB7C804FA7E559DB5921A1982EAC4647EB601464
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." .........v................6].....................................a....@..............................................................u...........x..@............................................................................................rsrc....u.......v..................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):63312
                                                                                                                Entropy (8bit):4.147046570661323
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:4AhosbkV8vJVQPu6V4Z+e0petNSaQhp0vcsjsrAGeoDsaKtq5w:vhosbkV8vJVQPu6V4ZX0bhp0vcsjsrAF
                                                                                                                MD5:275AAC23549087011B2996C57B6AAEFE
                                                                                                                SHA1:F326FBDC1ED197EED3663A642609CD1425FF1905
                                                                                                                SHA-256:466E9AB397CE17633D2848B05435B49F62FDCE16592ABC247FA5BAA2B59CC850
                                                                                                                SHA-512:02FF0B3F5B8FCABC85BD6645CB1CEDA6F189E371BA00A8E57C501AA1115ABAD505672327B727F0E993FC99A330058B55FDBE04099149D7D6651792D766F9C965
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6]....................................A.....@.............................................................................P............................................................................................rsrc...............................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):53584
                                                                                                                Entropy (8bit):4.231898414434443
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:3UrE5Ev1Y6BwLPLNq5f/nWHBN1eOU2fd5iz4qjpv3F:301Y6BkPLNYf/nWH5TdXq5V
                                                                                                                MD5:FC70F49F1B15802F5AE7F818AE3ECBC8
                                                                                                                SHA1:059F44050DF886BC74F60AE29178D634D328E848
                                                                                                                SHA-256:1F471B87324666B45DCDA7AF69D8109240E632F289A81A02FDBE1EFDBE75DC7A
                                                                                                                SHA-512:8EA60C31B49E1C839C5099A9518298E4DD71A056A7D774139BE319A30A6C4D3DAC441F06E2EB76376D08646EBD4F10C0A19FFA50B5E7309488189390E7BBB3D1
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6].....................................4....@.............................................................P...............P............................................................................................rsrc...P...........................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):61776
                                                                                                                Entropy (8bit):4.107682732404191
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:cOmcQ3ulNtMFZEGBFCDCDheB5xaV59+IIN5Rz4qjXHUo0:FlNtqZEGBFM0heB5+99ICqrHU7
                                                                                                                MD5:6D9A46F763040C86ABF1950F211FB1BC
                                                                                                                SHA1:17AB5398C9B1B5B564FA478CBD5C29803DEA6EE4
                                                                                                                SHA-256:CA8556A58B920D799BA52C07AC85D10C0208EFBE4380058C47C124DCAA92F67A
                                                                                                                SHA-512:745BF74E64A3A62983E3FC1D98EEEE82274397397D13C292DACFA0734FC66131713EA758EBE933365B2731DCE23527E0492310A2656199902BA1B558F22EB90C
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6].....................................L....@.............................................................................P............................................................................................rsrc...............................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):61776
                                                                                                                Entropy (8bit):4.107209507419263
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:4OmcQ3u7TtMFZEGBFCDCDheB5xaV59+IIN5Vz4qjXHUM2Os:p7TtqZEGBFM0heB5+99IWqrHUM2Os
                                                                                                                MD5:C310853379DB86E6B0C5E4095F156F52
                                                                                                                SHA1:C1B2AA46AF4995717C84CE0BEBAAA47A2D3DA237
                                                                                                                SHA-256:CF9F783DD28CB8BD81D98F0F88C1AB924E233DF7DE26788720D181C0034268B3
                                                                                                                SHA-512:318ED84728FE2D4A3942FEDA6029B64E603DA7396B9BA04576BA32FA697CD736930488EC9C583CB68B8586051D8B13F209534D066074565115D94969E3CAB724
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6]....................................(.....@.............................................................................P............................................................................................rsrc...............................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):62800
                                                                                                                Entropy (8bit):4.1190781529301965
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:3WcDf8GOQOj7e3RAaTaPCeyGdZmZ5fyyyyyyyyyyyyyyyafyLVyWong3+vz4qjXc:xgQZA2SCeB0vQJqrHUm6
                                                                                                                MD5:AFE56D7623448D4C3729DFDC8E56C2FE
                                                                                                                SHA1:FD5BD8C48537AA145E02EC143D0E655818B96E0C
                                                                                                                SHA-256:311461ACA503F947113D5E66DF8BB996A3FC2506A2763FFE8C97AA66103D7A75
                                                                                                                SHA-512:FF06FA8ABD8AF6D6C680FABABA4B7B26A87AEA8E5A54E42FC94D9C84012308BB01FAAC2378B9507317DDE7FB616CDA13C1109BC42F4AC72EEE0FC5B4D32F7B3D
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6]....................................[.....@.............................................................`...............P............................................................................................rsrc...`...........................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):61264
                                                                                                                Entropy (8bit):4.101771776541544
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:5fhqLysnKliCz7PxdIlWXgiCnPOCeFO/hDsiZUWTr+z4qjXHU8t:OJuiCz7PxdIlWX/APpBT5qrHU8t
                                                                                                                MD5:4FF530BADEE863866EB1A02482E3BADD
                                                                                                                SHA1:04C679CAA989A4B10B45FCC404EFDD0CCA0A32DF
                                                                                                                SHA-256:E96126F9D9F5ACE396A7769470A77E035674A583771F200E393D6389E47340D0
                                                                                                                SHA-512:D489379A471CECDCB7417112E42E3CA727DABC2764DE222EA74FBC88DA2FFF5267B8EA7F7A1A0151FEF829BD615D0A1BD37118BF48E28A50A5DC72CC0F340995
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6]....................................$.....@.............................................................................P............................................................................................rsrc...............................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):43328
                                                                                                                Entropy (8bit):5.431136968953999
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:iIxeR48c4rAmWoWyI6JMQ7axr10ahVIpbhYZTZ+HLz4Z1jg:5ARcEI6JM1r10OIthDz4Z1jg
                                                                                                                MD5:B5E78AC7392C21AF9AF0D34CCED932CF
                                                                                                                SHA1:AA6E4AF6BD85D58E52456FF1E86BF90187B2E423
                                                                                                                SHA-256:D397D7C2BF5C45E1C8B6129248D23DD7B053CE6E70C2633DAA3B931B054E9984
                                                                                                                SHA-512:E2A49519B60E4D59A968EB90A73F6C1C54B2ECDD1D5806F0A5A223958947FBE32EC42C9A7251ECCF74DEA836DD94BAEBB23DE2133B3FF7843ADE697EDE47EDBB
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6].....................................V....@.............................................................8...............@............................................................................................rsrc...8...........................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):42832
                                                                                                                Entropy (8bit):5.538055863229217
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:GekmG+rCzaraHn9vxB2c7Cvqnz4qjpv5E:GEGlzDn9vD2c7CvqEq55E
                                                                                                                MD5:120B9C7E4EE56BE14F7714AA7F7E9EDF
                                                                                                                SHA1:8F9A0189A53CA4EDA211836311E7466808EC16F6
                                                                                                                SHA-256:F3733F7A07CFFF9C6F8027F18FECC7D95B6FEA6FF9399494F22DE4A4B0E9EE46
                                                                                                                SHA-512:27231F6367B379BE8B336DBCF91876FB54C190624025E2F6687D581F21C6A87E4333E0C0D2577365C81AB3AEF316686B35D40B28295424316C18D3F6C5138491
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d....gYJ.........." ..........................6].....................................t....@.............................................................................P............................................................................................rsrc...............................@..@............................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MUpdate2\Microsoft.VC90.CRT.manifest

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1860
                                                                                                                Entropy (8bit):5.392371898016726
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
                                                                                                                MD5:53213FC8C2CB0D6F77CA6CBD40FFF22C
                                                                                                                SHA1:D8BA81ED6586825835B76E9D566077466EE41A85
                                                                                                                SHA-256:03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
                                                                                                                SHA-512:E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
                                                                                                                Malicious:false
                                                                                                                Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):569664
                                                                                                                Entropy (8bit):6.521726174641651
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:iZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8bw:iZSZ13iwJmgLq83Ooc8SHkC2efw
                                                                                                                MD5:B2EEE3DEE31F50E082E9C720A6D7757D
                                                                                                                SHA1:3322840FEF43C92FB55DC31E682D19970DAF159D
                                                                                                                SHA-256:4608BEEDD8CF9C3FC5AB03716B4AB6F01C7B7D65A7C072AF04F514FFB0E02D01
                                                                                                                SHA-512:8B1854E80045001E7AB3A978FB4AA1DE19A3C9FC206013D7BC43AEC919F45E46BB7555F667D9F7D7833AB8BAA55C9098AF8872006FF277FC364A5E6F99EE25D3
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<.......................@.......43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):653120
                                                                                                                Entropy (8bit):6.883968356674239
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:shr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyvRt:cU9FNPPbxPP2OeL9Q2pUmRyyvRt
                                                                                                                MD5:7538050656FE5D63CB4B80349DD1CFE3
                                                                                                                SHA1:F825C40FEE87CC9952A61C8C34E9F6EEE8DA742D
                                                                                                                SHA-256:E16BC9B66642151DE612EE045C2810CA6146975015BD9679A354567F56DA2099
                                                                                                                SHA-512:843E22630254D222DFD12166C701F6CD1DCA4A8DC216C7A8C9C0AB1AFC90189CFA8B6499BBC46408008A1D985394EB8A660B1FA1991059A65C09E8D6481A3AF8
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................|..P...(.......................@........3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\geo.asd

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):30720
                                                                                                                Entropy (8bit):7.994355090548138
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:768:8y7mHOHw2Ep2YSV5y0USkMestCHr5+WhGDr9bWtdBK1L:8yyYVYx0R/te5+nDrFWzkh
                                                                                                                MD5:D3CA79B1819D835C4C0EB65CD39804DF
                                                                                                                SHA1:9BCB10CB6BA5535C1BDFC3720366E6CE3D3E2A1B
                                                                                                                SHA-256:FE2CA2FFE285326B0B7059C245919312FFA524072D2CEF52B62C051D0B9A8DB3
                                                                                                                SHA-512:36A38FF6670CDB71170D558BA6B7FF8074F3CD0CBC8A56D0CE57880F62B9C53DA0BEC20CEF815C722F76062A2C112377C28B678673FF03E4A54BF6F0E070F443
                                                                                                                Malicious:true
                                                                                                                Preview:j....0V^...&.e$:.....@ ....Ix..>0?..9f.O|+d.......`....I...'F...R.....L.G<e._* m.K8.o.v22*.J......'o....a...s.wWT....p._....^U..p!.m..........7.K.pE.A.....B.....5g!@J...Q..<2.[[j...v..S.:.B.M......w..<.......U....G.H.D...........e.....q..n...4..D..a..v..6^L.S......A.B.7?.-.....u.].8...?...47...;.;,....<.-..E..p|....JEg$.......bN.~.TC.n.Y.......i;E>..*..<q...Y.V.S(........k........u...H.Q.....)..4..Eu.e4X.......0.o.H..u..*K.s`D.l,.t........Q....l..X:r...g..fx.:..u.'Z.@.L4^Sk...Y~t'...gz.TV$...gqX.....[.k.....6J...@...3..y.\1Y..%..7.......r^&~^....iA.T...1..m....6V.^&...V.r`....nu..Dnw}...w.lh\)gW..20....Jnq..b.h..e....x...........e..$1g.....,..%......'N..,D..z.lQ...YD.....-.....(.{. .,.~..2o..F$...sA;...~.R...../g.Z....B.xL....8.Nm_.M..1..2,M..>Y+v8...2mY.....)T..;U/.`7..x.rt....<...[.S2{]....2T....7.V................('.f.@3B..x.....P...bjK..."p.#.k....@@.89..o.+..9....3z...1.?..k.d..#...nD@.Eqr.G'fx..u........b.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\gof.dat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):25440
                                                                                                                Entropy (8bit):7.993411583727329
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:768:Wdf+i8iRpBKOPfT5f4Qp0VHcCZnbSyPFpEOYD/yG+kq:W1+iR1f1fpacCZW6FpEOYeGw
                                                                                                                MD5:D08863D5E8069D42ABB577E5525C5D1D
                                                                                                                SHA1:72787582F5B712E81D067BD3D0EEC7E5C79A2DD0
                                                                                                                SHA-256:09608CDBC5D4B6E1F9F0BA409254441024855824C1FFC8789E276A9F3DF95DA2
                                                                                                                SHA-512:EC487249B6D9DDB94AC30ED7C707BE397E40E96297F90F54DAD541E16674EBB0B70958C5DFE353D4FBDCFA93986D2A967DB880482B675778F3E5AD135FAE011B
                                                                                                                Malicious:true
                                                                                                                Preview:......g"*.XU+`.<e.=E..k....4r...I.z@.I.k.....4.|..<..$-/..w...........l..>.......VNv..+l.%..N..A;...d.P.....k..-...AK..]..i.mX.B ...9...#I'c.......k.j.+.*JH...,!3R,g.W'7..s..Y.V..Y.G..T.........;N....5....&c-].y.s.ue...Ti..p..K.+.....v..@./...8....+..a.*.}....pu..x]B.Y......i.............A...%.-..".>...L......;n..w.E.....R,I.k..O..*..T..;[.Sb.l.2..vz ..M=.4.L..t.^...z..E.....@...k.n.".jn.x]....ST..d.........2pl.V1$C.A.BQ.v}v.u....2u.r..q.)r[V......f1..K...P........H....s....z..',..P&..,...H.....7......L.E......]...(..J.?......!ti.}?..w..#.>V!:..z.....1..K....4.i........W....S...lz%7vE...3.......[.A.dY...I...6bZ.......K.B....?.VX..Sy....-...R.g.).Z9bU.gd_.X.(..3..G.n.+......`.GS.K.8l....I..t.x.|mY..Z.9..Dzx\J.....K}..j..u...%..YQy1...bx?s...R...vNz...-.........\...V..+..^dy.H.~.m7Vo^Zn}.y....Y......Q.F.J.a.w.4....._.HMP....".1....BmP.C09..R.ex.v.&.).ikA....(:.4.............'.$=OQ.4i...K..;.w..........n...;3....#.r..[...Cn.

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):3215640
                                                                                                                Entropy (8bit):6.774316456941846
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:8VwASOZ0IU6ibGtlqozOh5P0TW/0z6a69XayVBpXiwfrdnCMvg8dP6Ip8RZ1CPwy:6b+DqX6TdxvDEIp8L1CPwDv3uFSH6
                                                                                                                MD5:9D6D2FC033754ECCAC6FA8760C33D06E
                                                                                                                SHA1:A416F37ABEAAFD6F1AF1317192DA8B4E24E8914E
                                                                                                                SHA-256:F39982B94C69D76BF6F63E73ADDE53C858891FBC0EA0CC0D743EA8AD11D77E76
                                                                                                                SHA-512:FAD8CB012954596AC965DF456B33048E61C6F9709CED6E1529077C7631E105BC3801F4405604AA1A4B15BEBDFCD9293F1619E4BD5635AB1669BB9C59F3875DFA
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3..]..]..]..Y..]..^..]..X.c.]..X..]..Y...]..^..]..\..]..\.\.]..]..].t.Y..].t.]..].t...].t._..].Rich.].........PE..d...Oj:b.........." ......"...................................................1.......1...`......................................... .,.T...t~..x.....1...... /.......0...... 1..V..p.*.T.............................*..............."..............................text...."......."................. ..`.rdata........".......".............@..@.data...\............|..............@....pdata....... /.....................@..@.rsrc.........1.......0.............@..@.reloc...V... 1..X....0.............@..B........................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\mdp.scd

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1023346
                                                                                                                Entropy (8bit):7.36193105888848
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:ZN1zDmTseudV1y2MltTF4qcetHZD+lzoFgKTjDlq8odbvJonsd9JbBvILL4mHJ/6:ZH/IMf1jQtZ4qce7DxAnbBcpngr
                                                                                                                MD5:59138020613C6F1CD031541A57BE9888
                                                                                                                SHA1:D2A63DD0D9B5370EFE6E32795366187174A880B7
                                                                                                                SHA-256:ECDE4917B6D7462E820C1063330A86A3A7B9FD11CD7132A50656B3B1F26917BD
                                                                                                                SHA-512:A2C9904CF8950405B4401DCB9FE7BC2113CD99C79FFAC97D32EA730357F05C7A272E081F60D6B8C2780F33C9D26EB576BA5EB319FBA95D52EF54EC4BD356588C
                                                                                                                Malicious:false
                                                                                                                Preview:AhnLab MeD Technology MDP Rule Data File...........s.Uy~...............5......JKCJSWOTHSUS.s.....................H..ROGNa[SXMWYW.w....C.OSKPF.LO.o..KLFKTXPUITUT.t..C@8?HLDI@HLH.h..JKCJSWETJSUS.s..LMELUiOVJUSU.u..JKKJ@WOTHSUS.t.:...'.........9..bibo2woJ:sus9u$s...........%..+...............BA.:.JnF.?3L....rB&;BKSGL@.MK.k..;43:B.?D8CFB.c..=B:..NFK?IKI.j...KCJSRNTDSUSJp..............W.CU..DOGN^[SXMWYW.w...C.WSKPF.LO.o..KLFKTXPUITUT.t..C@8?HLDI@HLH.h..JKCJSWETJSUS.s..LMELUiOVJUSU.u..JKFJ@WOTHSUS.t...............9..bibo.wot;sus9.$6.............%...............7..AB:AJNF..JOGNS[SXMWYW.w...(@.USKPF.LO.o..KLFKTXPUITUT.t..C@8?HLDI@HLH.h..JKCJSWETJSUS.s..LMELUiOVJUSU.u..JKHJ@WOTHSUS.t...............9..j3jRw_tMsGsj..7.............%.....;.........4.."B%A.N1K.J)J.jD..C.B.O.L.K.KJk...;.:.G,D.C#C]c..`B:..NFK?lN....qJ.C.S8O:HSU..:.P.......D....}..Un.`.s.q.A.s....Mj.l...G._.w....Rmz.y/.Y.k.O...4F..}.:.......O.?.O............AS..|.........S.A.J"C$S'O!H'Uk.].s............sZ_.6%/e?Q;f4"A.....HEAHQ.JRF

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\msg.dat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1666496
                                                                                                                Entropy (8bit):7.999895263234597
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:49152:CtGnBjvyXRVdxgrPLvORcEKrxhh9ILt1kBDoNclZG:CQBjGIrMcHlh/IPkNoNUG
                                                                                                                MD5:A2084E2E1971E61EC04B1D6F19AB833E
                                                                                                                SHA1:093DEFCF3432EB51449C355DFE00836DC201C8DD
                                                                                                                SHA-256:8FA1CAD5599A318702DE04861AA8952A4691CD067737588F459EA37836E28ED5
                                                                                                                SHA-512:16AE5E8AFE92F5465241BBCBD2EAE2BE5F41271F277066EBB7DE885B98253A645BDB71FAEC08DA0BCAADA3A8E30BC319D8E693B315C42A79DFA24E8D647D51BE
                                                                                                                Malicious:true
                                                                                                                Preview:Ai...$...m........r]U......b)....S>.4.{.....8...=..p...$9)...m.J..M....K,w3....i....kh.o+..e|S..'.H=.y.5_....V..V..~_.F....I<...Y....t4Z..i...j....9@6.v.H..q%...Z..9..(... 1...8;......y8;m.5.x8H...HO.5.wm.=.-x...f....R.....tU...>_-..(d..+.?~.%. T(.A((*).MD....g.zu.8.yEK.HW.R...>.8..|@}P.JgK....1<...R......@pW....&N.B..V......ej.b.wy"2.9l.5.T..../.......B.J....jQ....q..)...Rx..O.qc.|.d.5...O...t...]..a.y+....d.<r...o..vVt..N#......./..4>......i.>......p....b..E'4...[...U...cE..W.=..b...5Q..CTd.e.^.|R.5K6.'../..s.?.$.... ..St...&.....Y?#`....\...w...'.uPh34P....2&.B..|..'{...d.4..............H|...w#.I.A.H.^.....e...qD....h..............[....P.......W.jn.%.....y..u.3.....k.%o....z.m._.!..n..3v.3<.........D..s.%\...."rN....q..{."R....aWj...y.2iq.M=.^.~....a.$.."..@N.......w.......]Sp.@s..I....N..?p....2{E..n..Q...f.......G....J.....Z.#.A...(......y...Q*....}....Bo..X.|;....7......u....$........!....0.....|.r.P..}....d.Z..)D..q.......Y...L

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\uh.dat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1360
                                                                                                                Entropy (8bit):7.8655860171879
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:7+V50HeJqFj9j/Vhi8JqDn0OAsYg+MuscyWJyoXVU8/bBVM0JW:yk+AN/VfJq7VhJ+MusKyoFBzB/W
                                                                                                                MD5:562C353E6B4F038CD5B52EAD4D5DA77A
                                                                                                                SHA1:197EED463470156F4564896E5E4572D222AF0466
                                                                                                                SHA-256:06A0D4D25F8C9C01F1B05492FF7FC1BB1531421FC5F2BA640F2656939FD04AEF
                                                                                                                SHA-512:8A23C03C0F2C817A6B468490F49F1F28573E1965118959610A4A8215A9E0FF207F65AD02690A94798EB6575036A8006DC98568148D66463E84BBF0E7BF2F0867
                                                                                                                Malicious:false
                                                                                                                Preview:......g"*.XU+`.y\..{.:..OaNS..H6aed..2...y....f..Q...Q=A.v.zZM_...6..y...B....R.@JdT......5u~...xc....I.......>...E....N....1.9.a@|-...B.}.B.8f....%P..zT.6!/Zg.....#....A.....zL._.v..K......@d....u!.$.#.s.H..< ....C.d.L....~..qq.r.1R..N,Q...]..F.{i...\.w.L....$t;.*H_.^....-...OB+5.b....A...we.fJ....$.,.a..m.F......]M<?._j.a.kz.....f`....x..%..Odz.....(:iw........^x... ..%.B...t..8i.):|.....[..oq.Ogu.....4...\..n...e.3.+N..[>...].s.....x^.A.J.N....."y....w.8..-..a..S.g...o|.6.@...T..N....2q5....d...<..8M.........O91I..E..l..2.4r..3..r..-....R...yg[.......?...GMZ..K+%!.wW{.a.F..Z!;!.....UL....K...1...R?.....M.e.m.Z`.@Fa.F7._w.`%.T.mx....T...3.......46U.+.....;7..s..C/..=)..5.J..2.hS...:...9m.w..cPJ(n2.....H..x^..Y...R.y.?...<Y...5(...j..X......`O.....^....[}mj..}q..C.k]:...G.4.X.X..z....._...C.m.....C.X ..e..A74."....IN...$..G..:.kI.+...FJV.e..^..u.....Dr..A.Z..|.w.......^..8/..~G...B..2..2....rj..5|.k..m..@.s.I+jR...t.).....fp.....".

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\wlist.asd

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):493566
                                                                                                                Entropy (8bit):7.81581227839091
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:JBb74u12ILVyTW/Tc1nW8wDoDqvpI3faHGuwuuSt2Y:JBbcfILVy2L8IoOvW3nu8St/
                                                                                                                MD5:C812F7791912E817E79FAC44361C3835
                                                                                                                SHA1:AE36E182A1124064A1192C2CF253F1016182AB06
                                                                                                                SHA-256:D0B9EE8D937DEA3A7FC058A5412C7518DBA0F4F31A102660986D15A8FF9582E9
                                                                                                                SHA-512:0CBCBFA857A1BE6B94AAC9BE4E5362A3686D8257841B2554CFFABD93F36C64D9055F0D333BE90C6F6AC3B94565C10EFFCA5BA27268D1E163C4B169CF95BD68EC
                                                                                                                Malicious:false
                                                                                                                Preview:AhnLab MeD Technology White List Data File.............{eM........JKCJSWOTHSUS.s.......................z.1.8....M../....".......{G.......e................7......\.....7.......s......-..Q.............p.....8..;............................&.........`......H.A....................}......v........(e.....f+#.....R.........Z.....ml...............H............................W..O....bO......u.'.....)......................b'......................|4.............`V......2.*..............P.......aJ....j................^.............&i......,.]X....0..........G......j..............Z.{............\.......i........J.u....F.......L3b......u...............h.....3..............F.z.......V....j..........E....c.......`.........+!....*.%3....r........z.....>1.3..............j....................i ......?.~\....4........6.......k.'............-................................9...........0`........f..............J......4.............|.Df.....Y......H................1..............n.9...

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Microsoft.VC90.CRT.manifest

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1862
                                                                                                                Entropy (8bit):5.38478122745935
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:3SlK+vU6gaAg09kkKb+Ezo09kkK/zzbK5C09kkKsrzY:Clt8UAgXk8+E8Xkaz/MCXkJ8
                                                                                                                MD5:A806C2A878EBCAA97F095E204AD23527
                                                                                                                SHA1:83EB34D7CED2B9DC71DBB849AA21EA78EC45A78C
                                                                                                                SHA-256:6B737568E1A12AB56EA091427B691B0FB5391997EBBDC4353C4ABDD2786E110B
                                                                                                                SHA-512:52149492ED4FF37115CB8D16203BE2419B692074824EDE86647CBC1B9CAA46D23E04C9C9D8979E512EE09933D46F69B7B384678E05B74ABEDB81BB9AB6917263
                                                                                                                Malicious:false
                                                                                                                Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="1b065fdf0cb8516b0553128eae4af39c5f8eeb46"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>Vy8CgQgbu3qH5JHTK0op4kR8114=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="45d3027d87eade77317e92994790598c755b3920"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Microsoft.VC90.MFC.manifest

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2359
                                                                                                                Entropy (8bit):5.368010340567118
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:3SlK++U6gdeB09kkKLzs09kkKDIzZOs09kkKJnzE09kkKK3MgzY:CltFD6Xk24XkBUsXkEnwXkpMg8
                                                                                                                MD5:EF0ED5B8F33C0B526101778EB14651F4
                                                                                                                SHA1:59FC443FE4A93669ACE0F59FA7986BC9A04A400A
                                                                                                                SHA-256:0E840B3AEA14A2DD7F84E0E6A923ED4B40EB139BECC2941C2D67A395DA26879C
                                                                                                                SHA-512:C0AEB711A3DC8C074577EB64433545A05DFD7BAB1259AECDD10FE2DC54BFC45463CE62D70C21302F3F136FF10E4FF48DDEE4F51CF018CD162D7FBC3834802BB4
                                                                                                                Malicious:false
                                                                                                                Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.30729.4148" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc90.dll" hashalg="SHA1" hash="7a86bbafeb8fab5ec5e6b34f226cde1ce9a1ae9b"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>jknaTCuYm0hCeoiYG7L8EtQPel4=</dsig:DigestValue></asmv2:hash></file> <file name="mfc90u.dll" hashalg="SHA1" hash="1817389f2b3d7b9fe5c4468c6592c536a5c2b842"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:ds

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):17408
                                                                                                                Entropy (8bit):7.988215448875895
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:7MwJ7JA2eVbEzFph4XQ24X7tooM+XJybmwDbFtSZQ2kC:7M87JAQbh4XtI7tooITDbFtSZQ2kC
                                                                                                                MD5:3A28B4C88E01A18E52E35D3D7B55C6E4
                                                                                                                SHA1:0BC5BE2CC060D68810FEAC1EDF8A1943B1429E5D
                                                                                                                SHA-256:48F8CA22A0FE2FE2B7B89FF415E04F83C893E231DA1199C065810D71BA52D564
                                                                                                                SHA-512:B685ED4CE23174F1200AEC65BEC10D9064617F75002E5DBC4DB2687C3EB6FFE03F4E5E6976E04A1F518C06B054436641D9BA26F0FDCF42A421D0C69D90C8769F
                                                                                                                Malicious:false
                                                                                                                Preview:.P..&kc.w3.d).u.....@ .....7~I......8.....z..I.W...+#)gS.aL.............~..2............].ly^.jm..`l..d<%5~.6.h:....Fy8<<w..Y...z.."..E#{.L.....Mb./.../;.[...&N..|.pI.9.i.t...#.6.v-..EU.G4.W|.$P.\N...l.v).$}.. .y&.m..e.$....ZN..@...eB.....rL..^..<K.....z.l.n...G.C..l..i..A..t.z.......rV=Sn.'j_......t>......x..1}..5...&."K9....QM....=.R.....p..?..`.V..... ..[..&.yE....!..(5.9.h(:k.). #..O#^...t..'c.N..*...@Exy..-...d..P.(G/......6...Q.(.q.c..J..2.=..2C.W.A.~...D....jL~.GY4....f..I..)..`..],..T.3!6AM.:.vXg3~.....\.g..~......W.Qmp.B.@y=aO."".......pq>-r..........1..|q..2.E..!DPCV".........|{1c.ySL~..v.D...<QN=........8Rl..T...._..!..1..=..lp..3.Q..>.r..|.P...".L..h...G.....S.v.....>.z.s.$...G.!......v~.@{.1w.o...@.....;.}.w..[-l:a.E.[..........j......&...].7(..p9....A.[8].-.......Pq....R-.)U.m....h'..."...+....G.....j..r4...3.p.......s.c....Dn.q"...nZ.a.......0`.H...P.j.1..ln..1........Z..P4.......q....c...\.e......i....r.....G.{

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):148480
                                                                                                                Entropy (8bit):7.998582722595543
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:3072:IYNBriFUd4hT3TTblAs0DUwA0Jv4QEEv4+chBAFsqOVYRWe7r:BNVizTpAsIUwAUwQlEhBe06RBr
                                                                                                                MD5:4F6ECE9FE521269B3D94F2B8698CB12E
                                                                                                                SHA1:3FDD3955E05BE86F2A65FEB9AEE173A81E88B56D
                                                                                                                SHA-256:0E1A8E296DAAB3623FBDBE25142741DA0DEF87DB226C980FFAE88F97CCBF999D
                                                                                                                SHA-512:7B7FE7EECB936203532BC6281AA38A3F9E0A0301EA032B3CCA6FE28FC1E25690C5F15533B79BFE1A6346CFEB0FBF221D30B201BB38D1693F0015EDDBC3E8DB1B
                                                                                                                Malicious:true
                                                                                                                Preview:) .@.M.....#...&.....@ ..Q...+.JxX...{...Iz#... ......5Mq..p.[..]A......K..l.ji..C}*rN.u.[.Op.y....:K..".....0.O....;.q.0,.....A.......(l.-.......xsy,u..i'q....|..*.?.....#...~..Dw-.M../9........iiZ.G..2...u.g...,>....S..K...J..O..9.4x.....g~z.%%......F..o.....P.sKY..-.^..(n.....l....&.gn.(...K.............%..0.k...G;Q.!v....'gd|.xy..q...3[.(..E.*.Nt..[.O..).Je...{......!..<(..B..u.K.!...EP..x...$.......l...ED.T..e=.C.."..M'*y.......FT....D$.,......nj.D.1.s.-w"...V..$....)...E.(p..&e..N<^..q&?b.r..+c.`.YS......EL.Sceh...v..zV.......\..f...[(..........4..z.#4-.....B.{.:....6.m*..@......?.....r.........../........5..p.8.k.t.k.{.d..IB>.......O....c.......TX......./..[#...w....+...,..9.Gf[...-.Q...T.)6....W]....q5.p4sj.].....28d...\5.x..K8.P..+.+z.^...V..UO.v.>...n.FE.4-.@.._X...>G...@....V.....w..$R1=A.ek`x..oW].d?......BB.".....~..5...*......'.....`D.fTBH1R..9_.7.}...R.R9|.../..#.B...0.;.lD.8....td$.....$.lbk..h0s.(.vNO..l.kT.<Z....0]c....

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1341696
                                                                                                                Entropy (8bit):6.755727956102957
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:gXxVXQRORodg5Dmc9rBSxgQsymAKwWWK8fL+mKRaKFz8B:ghods4O8QCGxFz8B
                                                                                                                MD5:0808F116CC20A018B1CFB4B146220826
                                                                                                                SHA1:0B2351965546E478C399906211ABAE0C0D8F5FEA
                                                                                                                SHA-256:0328537F8E3D9520D6EA6C7F226A996B7987070792E2AB717DBC0CDFDA762653
                                                                                                                SHA-512:4BCC4F54AC9397AF559917865DFA5B6426178E1975B77CA7679A18FF8A7B66BF6E2A8A2EB969D2F4DB5B5AFD45E3459C090B9A0EA5765890E46B49FB30D4BB7C
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p...p...p;..p...p...p...p...p[..p.X.p...p...p...p...pP..p...p...p...p...p...p...pRich...p........................PE..L...=e9b...........!.........|......................................................F.....@.................................Ty..x....................Z..........p...P................................o..@............... ............................text............................... ..`.rdata..............................@..@.data....S..........................@....rsrc...............................@..@.reloc..n...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1699352
                                                                                                                Entropy (8bit):6.78854889801263
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:Sh254bNhfyVXbW5cCnYEYSOc8ctKSYn3bzMXpwWruZp1pSrdfkCG3NDZnPPM+GhL:STGOYF6CQwriGvxZnPP5GhPE+9
                                                                                                                MD5:969D634F75112D9203FB678C3CD7BB5B
                                                                                                                SHA1:AA65079E33DF01C519F94610A4EFA2B8006E9791
                                                                                                                SHA-256:2CC8C83DCAFC45438B15C2AFD8C122F24C0BA623AB30BBF00F5962FC339D859E
                                                                                                                SHA-512:3C8A3B6DA004179416F1198646575FD047D674ACF6BE00E577EA871F13B5B75F3577CE61589A1E1ACD179E7C328304D0D0BAFB6599E2C265A5F339AECCB2C0FE
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(g{.l...l...l...e~..h....I..m...e~..`...e~......K.n.}...l.......e~..q...e~..m...rT..m...e~..m...Richl...........................PE..L......c...........!.....x...H.......b.......................................P..........................................W............p...................*......T......................................@............................................text...nv.......x.................. ..`.rdata...R.......T...|..............@..@.data...Dz..........................@....rsrc........p......................@..@.reloc..v...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):39448
                                                                                                                Entropy (8bit):6.349725786408787
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:saTPLFr83naeA5z7VbbQ0SKvB2S8MgHHrKIYitv7tvXG8E9VF0NysI:saPFraa1ztbQDCPRgr3YitDdXlE
                                                                                                                MD5:6B53A59AD800614B3866D24472C41C22
                                                                                                                SHA1:FC470149F8E81D952A84AEF0AEE7663BE4386DD3
                                                                                                                SHA-256:6B2B3B3186177EE9366DDA6FC274B1F0F9443C8474C8B125CB3232F2F6C8EC5C
                                                                                                                SHA-512:ADE1DAAB764D21814AAEC1A72CACB12549D3E1EE332ECA8A17615EC665FA9278AA794AC9D0094ABFA77038A8F4FB836C34F2C0DE6D94309138207656C85E6D9A
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".R.C...C...C...;,..C...;*..C...;;..C.......C.......C...C...C...;<..C...;-..C....+..C...;...C..Rich.C..................PE..L...X.(c...........!.........^...............0......................................K................................q.......j..x.......(............p...*......`...01...............................i..@............0...............................text............................... ..`.orpc...u.... ...................... ..`.rdata..NB...0...D..................@..@.data................V..............@....rsrc...(............^..............@..@.reloc..|............h..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):35648
                                                                                                                Entropy (8bit):5.581929500429887
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:cwxPHe7hDWEWy5uxcx37Xtqh5iHulR1uwTvh6dKe/VD9OLH1GLz4Z1jEa:HShL2ctXtqPvRhvhynOLUz4Z1jZ
                                                                                                                MD5:62E39B9DADCD8C3AE989BF448EEBE25A
                                                                                                                SHA1:C66508EDA007BAA02221A9549D04C075778B3793
                                                                                                                SHA-256:2C0F0DF9EDA903CF3CE8246DF5B8CE8F083E28532B3EDA5153E50BC7DBC124B2
                                                                                                                SHA-512:B5951A6E89A93D7A018EDD0AE135712BCC1C71155B8DF7992B43640AD717C93A2FE513A4C206DB7A42EB7B5BFA65F543A084D61D0E6538E44A1D23E777FE6137
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L....lYJ...........!.........r....................6]......................................@..............................................q...........t..@............................................................................................rsrc....q.......r..................@..@............................................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):36688
                                                                                                                Entropy (8bit):5.586891090741567
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:wdPwznjqQOl6HyLW7WyJMU9sNCR0OL5AlKwKTF1ECAiJJGLz4qjXHUdT:iki8SS19sy1KKwQ1ECDJoz4qjXHUdT
                                                                                                                MD5:11BF5AB1B544480558AE86F104E9CE40
                                                                                                                SHA1:687EC93FB11D6CE44ACACFC9F9D3C412D65EEF74
                                                                                                                SHA-256:4EDCC083BF994C959FE5D15E511E19998ABE2E99E7943D3E5C8D757CAEB4F7EA
                                                                                                                SHA-512:80F85DFFD8C6A90FB65AF7F752521B1A5D0721909FC39DFAE73AB2E8BD49870DCEB453C41A0E188312627740229EB9213546DCD0C996215F214A30C9E2FD0142
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L....lYJ...........!.........v....................6]................................0z....@..............................................u...........x..P............................................................................................rsrc....u.......v..................@..@............................................................8.......P.......8....... .......8....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................;.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.......H.......`.......x...........................

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                Entropy (8bit):7.999983994478894
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:astx_setup.exe
                                                                                                                File size:81412376
                                                                                                                MD5:7dd75b2c2e214c0347df3dc137161b19
                                                                                                                SHA1:072a03d9279d3ecbdb5a76c70a862a75fb50d95b
                                                                                                                SHA256:06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f
                                                                                                                SHA512:0e0b29069e12ac20c5ca34be9daa14415fefba2503e36fef65e35d3135c729111855d6c31baf3f29257242fbc41f3ae90f3cc15df43cd04fe3172488ad7d7791
                                                                                                                SSDEEP:1572864:V/kvfSyDj2/tdz2XqzpQWvrb8bKjCuss/4CSKdwdLexZyUemQr7VbY7:VOXO/tohWUbiCussB1WdLePtemk7t
                                                                                                                TLSH:3A0833B8BCC9E210FF3AF97DC25EB1A0F5502C035C64E42E5F0612947BF7A996360696
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................M.............h.......m.....Rich....................PE..L...9v.`.................d...,.....

                                                                                                                File Icon

                                                                                                                Icon Hash:70fcd2afcbfaf021

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x403528
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:true
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x609C7639 [Thu May 13 00:43:37 2021 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:5
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:5
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:5
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:25ed4ce053872020aef1006182cbb182

                                                                                                                Authenticode Signature

                                                                                                                Signature Valid:true
                                                                                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                Signature Validation Error:The operation completed successfully
                                                                                                                Error Number:0
                                                                                                                Not Before, Not After
                                                                                                                • 1/10/2022 1:00:00 AM 1/8/2023 12:59:59 AM
                                                                                                                Subject Chain
                                                                                                                • CN="AhnLab, Inc.", O="AhnLab, Inc.", L=Seongnam-si, S=Gyeonggi-do, C=KR, SERIALNUMBER=110111-1138985, OID.1.3.6.1.4.1.311.60.2.1.1=Seongnam-si, OID.1.3.6.1.4.1.311.60.2.1.2=Gyeonggi-do, OID.1.3.6.1.4.1.311.60.2.1.3=KR, OID.2.5.4.15=Private Organization
                                                                                                                Version:3
                                                                                                                Thumbprint MD5:6EBDE07766B873648E04CE4C1362C752
                                                                                                                Thumbprint SHA-1:D9A0D370CD710CC4344B17AF5AD3351264437570
                                                                                                                Thumbprint SHA-256:EDE44A2FD6E42811226397C469421B503C7F9EE60D0186E5AD6DD08D5E9DA058
                                                                                                                Serial:0DDDA3FAE15DDCB377EFDCE3AA6BC2A5

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                sub esp, 000002D4h
                                                                                                                push ebx
                                                                                                                push esi
                                                                                                                push edi
                                                                                                                push 00000020h
                                                                                                                pop edi
                                                                                                                xor ebx, ebx
                                                                                                                push 00008001h
                                                                                                                mov dword ptr [esp+14h], ebx
                                                                                                                mov dword ptr [esp+10h], 00408450h
                                                                                                                mov dword ptr [esp+1Ch], ebx
                                                                                                                call dword ptr [004080A4h]
                                                                                                                call dword ptr [004080C4h]
                                                                                                                and eax, BFFFFFFFh
                                                                                                                mov dword ptr [00429D40h], eax
                                                                                                                cmp ax, 0006h
                                                                                                                je 00007FC64086B4A3h
                                                                                                                push ebx
                                                                                                                call 00007FC64086DFFEh
                                                                                                                cmp eax, ebx
                                                                                                                je 00007FC64086B499h
                                                                                                                push 00000C00h
                                                                                                                call eax
                                                                                                                mov esi, 00408510h
                                                                                                                push esi
                                                                                                                call 00007FC64086DF78h
                                                                                                                push esi
                                                                                                                call dword ptr [0040812Ch]
                                                                                                                lea esi, dword ptr [esi+eax+01h]
                                                                                                                cmp byte ptr [esi], bl
                                                                                                                jne 00007FC64086B47Dh
                                                                                                                push 0000000Ch
                                                                                                                call 00007FC64086DFD2h
                                                                                                                push 0000000Ah
                                                                                                                call 00007FC64086DFCBh
                                                                                                                push 00000008h
                                                                                                                mov dword ptr [00429D44h], eax
                                                                                                                call 00007FC64086DFBFh
                                                                                                                cmp eax, ebx
                                                                                                                je 00007FC64086B4A4h
                                                                                                                push 0000001Eh
                                                                                                                call eax
                                                                                                                test eax, eax
                                                                                                                je 00007FC64086B49Ch
                                                                                                                or dword ptr [00429D40h], 40000000h
                                                                                                                push ebp
                                                                                                                call dword ptr [00408038h]
                                                                                                                push ebx
                                                                                                                call dword ptr [0040829Ch]
                                                                                                                push ebx
                                                                                                                push 000002B4h
                                                                                                                mov dword ptr [00429E38h], eax
                                                                                                                lea eax, dword ptr [esp+38h]
                                                                                                                push eax
                                                                                                                push ebx
                                                                                                                push 004085E8h
                                                                                                                call dword ptr [00408184h]
                                                                                                                push 004085D0h

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [ C ] VS2005 build 50727
                                                                                                                • [IMP] VS2005 build 50727
                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                • [RES] VS2008 build 21022
                                                                                                                • [LNK] VS2008 SP1 build 30729

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x89b40xa0.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x19f88.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4da17000x2a18
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2ac.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x63d70x6400False0.6702734375data6.482645761656697IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x80000x18380x1a00False0.4248798076923077data4.816710225566031IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0xa0000x1fe3c0x200False0.2265625data1.730463198659969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .ndata0x2a0000x110000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x3b0000x19f880x1a000False0.7925837590144231data7.4146495664247976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                RT_ICON0x3b3880x10e9aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                RT_ICON0x4c2280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                                                                                                RT_ICON0x4e7d00x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 6912EnglishUnited States
                                                                                                                RT_ICON0x504780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                                                                                                RT_ICON0x515200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                                                                                                                RT_ICON0x523c80xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States
                                                                                                                RT_ICON0x530700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                                                                                                                RT_ICON0x539180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                                                                                                                RT_ICON0x53e800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                                                                                                RT_ICON0x542e80x368Device independent bitmap graphic, 16 x 32 x 24, image size 768EnglishUnited States
                                                                                                                RT_DIALOG0x546500x100dataEnglishUnited States
                                                                                                                RT_DIALOG0x547500x11cdataEnglishUnited States
                                                                                                                RT_DIALOG0x548700x60dataEnglishUnited States
                                                                                                                RT_GROUP_ICON0x548d00x92dataEnglishUnited States
                                                                                                                RT_VERSION0x549680x2d0dataEnglishUnited States
                                                                                                                RT_MANIFEST0x54c380x349XML 1.0 document, ASCII text, with very long lines (841), with no line terminatorsEnglishUnited States

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                ADVAPI32.dllRegDeleteKeyW, RegCloseKey, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, RegDeleteValueW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegCreateKeyExW
                                                                                                                SHELL32.dllShellExecuteExW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                                                COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                USER32.dllGetDlgItemTextW, SetDlgItemTextW, RegisterClassW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, SetWindowPos, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, CreateDialogParamW, EndDialog, GetSystemMetrics, CreatePopupMenu, AppendMenuW, GetWindowRect, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, ScreenToClient, CheckDlgButton, LoadCursorW, MessageBoxIndirectW, GetWindowLongW, GetSysColor, CharNextW, ExitWindowsEx, DestroyWindow, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, CharPrevW, DispatchMessageW, wsprintfA, SetCursor, PeekMessageW, SystemParametersInfoW
                                                                                                                GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                                                KERNEL32.dllCreateProcessW, lstrcmpiA, GetTempFileNameW, WriteFile, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, lstrcatW, GetCurrentProcess, GetVersion, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, RemoveDirectoryW, lstrcpyA, MoveFileExW, CopyFileW

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Nov 28, 2022 13:42:39.917131901 CET6364253192.168.2.31.1.1.1
                                                                                                                Nov 28, 2022 13:42:39.948183060 CET53636421.1.1.1192.168.2.3
                                                                                                                Nov 28, 2022 13:42:40.051069021 CET5254053192.168.2.31.1.1.1
                                                                                                                Nov 28, 2022 13:42:40.077526093 CET53525401.1.1.1192.168.2.3
                                                                                                                Nov 28, 2022 13:42:46.376266956 CET5741853192.168.2.31.1.1.1
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET53574181.1.1.1192.168.2.3

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Nov 28, 2022 13:42:39.917131901 CET192.168.2.31.1.1.10x1cc3Standard query (0)gms.ahnlab.comA (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:40.051069021 CET192.168.2.31.1.1.10x68bbStandard query (0)gms.ahnlab.comA (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.376266956 CET192.168.2.31.1.1.10xf392Standard query (0)webclinic.ahnlab.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Nov 28, 2022 13:42:39.948183060 CET1.1.1.1192.168.2.30x1cc3No error (0)gms.ahnlab.comgms.wip.ahnlab.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:39.948183060 CET1.1.1.1192.168.2.30x1cc3No error (0)gms.wip.ahnlab.com34.249.110.217A (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:40.077526093 CET1.1.1.1192.168.2.30x68bbNo error (0)gms.ahnlab.comgms.wip.ahnlab.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:40.077526093 CET1.1.1.1192.168.2.30x68bbNo error (0)gms.wip.ahnlab.com211.115.106.72A (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET1.1.1.1192.168.2.30xf392No error (0)webclinic.ahnlab.comwebclinic.ahnlab.com.cdngc.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET1.1.1.1192.168.2.30xf392No error (0)webclinic.ahnlab.com.cdngc.net101.79.212.66A (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET1.1.1.1192.168.2.30xf392No error (0)webclinic.ahnlab.com.cdngc.net101.79.212.97A (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET1.1.1.1192.168.2.30xf392No error (0)webclinic.ahnlab.com.cdngc.net163.171.75.97A (IP address)IN (0x0001)false
                                                                                                                Nov 28, 2022 13:42:46.666229010 CET1.1.1.1192.168.2.30xf392No error (0)webclinic.ahnlab.com.cdngc.net163.171.75.66A (IP address)IN (0x0001)false

                                                                                                                Statistics

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:13:40:29
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Users\user\Desktop\astx_setup.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\astx_setup.exe
                                                                                                                Imagebase:0x400000
                                                                                                                File size:81412376 bytes
                                                                                                                MD5 hash:7DD75B2C2E214C0347DF3DC137161B19
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.2413738502.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:13:40:30
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\system32\cmd.exe /C "ECHO Y| cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)"
                                                                                                                Imagebase:0x390000
                                                                                                                File size:236032 bytes
                                                                                                                MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:13:40:30
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff74e0f0000
                                                                                                                File size:885760 bytes
                                                                                                                MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:13:40:30
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"
                                                                                                                Imagebase:0x390000
                                                                                                                File size:236032 bytes
                                                                                                                MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:13:40:31
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\SysWOW64\cacls.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:cacls C:\Users\user\AppData\Local\Temp\asfB6FB.tmp /s:D:PAI(A;;FA;;;BA)
                                                                                                                Imagebase:0x630000
                                                                                                                File size:27648 bytes
                                                                                                                MD5 hash:B304B0EF47E125F696425BD99096D3E3
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:13:40:49
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\asfB6FB.tmp\V3Medic.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:1294968 bytes
                                                                                                                MD5 hash:F4116873D9C057697783C2C128708617
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Target ID:15
                                                                                                                Start time:13:40:53
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
                                                                                                                Imagebase:0x400000
                                                                                                                File size:95728 bytes
                                                                                                                MD5 hash:9005E21833E657558F139A3D3945C97D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Target ID:16
                                                                                                                Start time:13:40:53
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff74e0f0000
                                                                                                                File size:885760 bytes
                                                                                                                MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate

                                                                                                                General

                                                                                                                Target ID:17
                                                                                                                Start time:13:40:58
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\nsdE18B.tmp\SysX64.exe
                                                                                                                Imagebase:0x400000
                                                                                                                File size:95728 bytes
                                                                                                                MD5 hash:9005E21833E657558F139A3D3945C97D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Target ID:18
                                                                                                                Start time:13:40:59
                                                                                                                Start date:28/11/2022
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff74e0f0000
                                                                                                                File size:885760 bytes
                                                                                                                MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate

                                                                                                                Disassembly

                                                                                                                No disassembly